Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
kjDPynh9vQ.exe

Overview

General Information

Sample name:kjDPynh9vQ.exe
renamed because original name is a hash value
Original sample name:a94e88b82d8b95386186b27736dff926.exe
Analysis ID:1576611
MD5:a94e88b82d8b95386186b27736dff926
SHA1:1c3e3a04d8d2f43867f4441ea230f5893cd14d76
SHA256:a9d9260b88c2a2f7543c9d9d61366685b2595517fbeb64cc7129898213d56b8e
Tags:exeuser-abuse_ch
Infos:

Detection

Credential Flusher
Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Yara detected Credential Flusher
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Found API chain indicative of sandbox detection
Machine Learning detection for sample
Connects to many different domains
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
PE file contains sections with non-standard names
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses taskkill to terminate processes

Classification

Process Tree

  • System is w10x64
  • kjDPynh9vQ.exe (PID: 7556 cmdline: "C:\Users\user\Desktop\kjDPynh9vQ.exe" MD5: A94E88B82D8B95386186B27736DFF926)
    • taskkill.exe (PID: 7612 cmdline: taskkill /F /IM firefox.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)
      • conhost.exe (PID: 7620 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • taskkill.exe (PID: 7708 cmdline: taskkill /F /IM chrome.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)
      • conhost.exe (PID: 7716 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • taskkill.exe (PID: 7764 cmdline: taskkill /F /IM msedge.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)
      • conhost.exe (PID: 7772 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • taskkill.exe (PID: 7820 cmdline: taskkill /F /IM opera.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)
      • conhost.exe (PID: 7828 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • taskkill.exe (PID: 7884 cmdline: taskkill /F /IM brave.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)
      • conhost.exe (PID: 7892 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • firefox.exe (PID: 7948 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • firefox.exe (PID: 7984 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
    • firefox.exe (PID: 8000 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
      • firefox.exe (PID: 7244 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2296 -parentBuildID 20230927232528 -prefsHandle 2228 -prefMapHandle 2208 -prefsLen 25315 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c2fc85f1-1a2d-4561-b18f-bae297b79c3b} 8000 "\\.\pipe\gecko-crash-server-pipe.8000" 1174be6e310 socket MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
      • firefox.exe (PID: 3556 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3808 -parentBuildID 20230927232528 -prefsHandle 3792 -prefMapHandle 3840 -prefsLen 26330 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c5bf1d68-33a4-4d18-a21d-584b68b3679b} 8000 "\\.\pipe\gecko-crash-server-pipe.8000" 1175beefd10 rdd MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
      • firefox.exe (PID: 8012 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4556 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 3768 -prefMapHandle 4508 -prefsLen 33141 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a151f8c8-1b7f-4b6c-8e13-c9b62c2c0a41} 8000 "\\.\pipe\gecko-crash-server-pipe.8000" 1176405a510 utility MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: kjDPynh9vQ.exe PID: 7556JoeSecurity_CredentialFlusherYara detected Credential FlusherJoe Security

    Sigma Signatures

    No Sigma rule has matched

    Suricata Signatures

    No Suricata rule has matched

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Antivirus / Scanner detection for submitted sample
    Source: kjDPynh9vQ.exeAvira: detected
    Multi AV Scanner detection for submitted file
    Source: kjDPynh9vQ.exeVirustotal: Detection: 31%Perma Link
    Source: kjDPynh9vQ.exeReversingLabs: Detection: 36%
    AI detected suspicious sample
    Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.1% probability
    Machine Learning detection for sample
    Source: kjDPynh9vQ.exeJoe Sandbox ML: detected
    Source: kjDPynh9vQ.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
    Source: unknownHTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.9:49743 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.9:49749 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.9:49764 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.9:49774 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.9:49776 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.9:49831 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.9:49833 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 151.101.193.91:443 -> 192.168.2.9:49834 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.9:49838 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.9:49842 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.9:49841 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.9:49843 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.9:49844 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.9:49913 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.9:49914 version: TLS 1.2
    Source: Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdbV source: gmpopenh264.dll.tmp.14.dr
    Source: Binary string: wshbth.pdbGCTL source: firefox.exe, 0000000E.00000003.1510234892.000001175B5D7000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1510306330.000001175B5E4000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: NapiNSP.pdbUGP source: firefox.exe, 0000000E.00000003.1509601010.000001175B5DA000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1509425130.000001175B5D7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wshbth.pdb source: firefox.exe, 0000000E.00000003.1510234892.000001175B5D7000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1510306330.000001175B5E4000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: pnrpnsp.pdb source: firefox.exe, 0000000E.00000003.1509425130.000001175B588000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: NapiNSP.pdb source: firefox.exe, 0000000E.00000003.1509601010.000001175B5DA000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1509425130.000001175B5D7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: netprofm.pdb source: firefox.exe, 0000000E.00000003.1507481783.000001175B588000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdb source: gmpopenh264.dll.tmp.14.dr
    Source: Binary string: pnrpnsp.pdbUGP source: firefox.exe, 0000000E.00000003.1509425130.000001175B588000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: netprofm.pdbUGP source: firefox.exe, 0000000E.00000003.1507481783.000001175B588000.00000004.00000020.00020000.00000000.sdmp
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeCode function: 0_2_00BEDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,0_2_00BEDBBE
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeCode function: 0_2_00BBC2A2 FindFirstFileExW,0_2_00BBC2A2
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeCode function: 0_2_00BF68EE FindFirstFileW,FindClose,0_2_00BF68EE
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeCode function: 0_2_00BF698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,0_2_00BF698F
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeCode function: 0_2_00BED076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00BED076
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeCode function: 0_2_00BED3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00BED3A9
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeCode function: 0_2_00BF9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00BF9642
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeCode function: 0_2_00BF979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00BF979D
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeCode function: 0_2_00BF9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00BF9B2B
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeCode function: 0_2_00BF5C97 FindFirstFileW,FindNextFileW,FindClose,0_2_00BF5C97
    Source: firefox.exeMemory has grown: Private usage: 1MB later: 227MB
    Source: unknownNetwork traffic detected: DNS query count 31
    Source: Joe Sandbox ViewIP Address: 34.149.100.209 34.149.100.209
    Source: Joe Sandbox ViewIP Address: 34.117.188.166 34.117.188.166
    Source: Joe Sandbox ViewIP Address: 151.101.193.91 151.101.193.91
    Source: Joe Sandbox ViewIP Address: 34.160.144.191 34.160.144.191
    Source: Joe Sandbox ViewJA3 fingerprint: fb0aa01abe9d8e4037eb3473ca6e2dca
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeCode function: 0_2_00BFCE44 InternetReadFile,SetEvent,GetLastError,SetEvent,0_2_00BFCE44
    Source: global trafficHTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
    Source: global trafficHTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
    Source: global trafficHTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
    Source: global trafficHTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
    Source: global trafficHTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
    Source: global trafficHTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
    Source: global trafficHTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
    Source: global trafficHTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
    Source: global trafficHTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
    Source: global trafficHTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
    Source: global trafficHTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
    Source: global trafficHTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
    Source: global trafficHTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
    Source: global trafficHTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
    Source: global trafficHTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
    Source: global trafficHTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
    Source: global trafficHTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
    Source: global trafficHTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
    Source: global trafficHTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
    Source: global trafficHTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
    Source: global trafficHTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
    Source: global trafficHTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
    Source: global trafficHTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
    Source: global trafficHTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
    Source: global trafficHTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
    Source: global trafficHTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
    Source: global trafficHTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
    Source: global trafficHTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
    Source: global trafficHTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
    Source: global trafficHTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
    Source: firefox.exe, 0000000E.00000003.1466939019.000001175DAA5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: *://www.facebook.com/platform/impression.php* equals www.facebook.com (Facebook)
    Source: firefox.exe, 0000000E.00000003.1596442007.0000011758B70000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: -l10n-id="newtab-menu-content-tooltip" data-l10n-args="{&quot;title&quot;:&quot;Wikipedia&quot;}" class="context-menu-button icon"></button></div><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer"><div class="top-site-inner"><a class="top-site-button" href="https://www.reddit.com/" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper" data-fallback="R"><div class="top-site-icon rich-icon" style="background-image:url(chrome://activity-stream/content/data/content/tippytop/images/reddit-com@2x.png)"></div></div></div><div class="title"><span dir="auto">Reddit<span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><div><button aria-haspopup="true" data-l10n-id="newtab-menu-content-tooltip" data-l10n-args="{&quot;title&quot;:&quot;Reddit&quot;}" class="context-menu-button icon"></button></div><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer hide-for-narrow"><div class="top-site-inner"><a class="top-site-button" href="https://twitter.com/" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper" data-fallback="T"><div class="top-site-icon rich-icon" style="background-image:url(chrome://activity-stream/content/data/content/tippytop/images/twitter-com@2x.png)"></div></div></div><div class="title"><span dir="auto">Twitter<span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><div><button aria-haspopup="true" data-l10n-id="newtab-menu-content-tooltip" data-l10n-args="{&quot;title&quot;:&quot;Twitter&quot;}" class="context-menu-button icon"></button></div><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer placeholder hide-for-narrow"><div class="top-site-inner"><a class="top-site-button" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper"><div class=""></div></div></div><div class="title"><span dir="auto"><br/><span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><button aria-haspopup="dialog" class="context-menu-button edit-button icon" data-l10n-id="newtab-menu-topsites-placeholder-tooltip"></button><div class="topsite-impression-observer"></div></div></li></ul><div class="edit-topsites-wrapper"></div></div></section></div></div></div></div><style data-styles="[[null]]"></style></div><div class="discovery-stream ds-layout"><div class="ds-column ds-column-12"><div class="ds-column-grid"><div></div></div></div><style data-styles="[[null]]"></style></div></div></main></div></div> equals www.twitter.com (Twitter)
    Source: firefox.exe, 0000000E.00000003.1546588063.0000011767E8D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: 8*://www.facebook.com/* equals www.facebook.com (Facebook)
    Source: firefox.exe, 0000000E.00000003.1595936784.00000117642B8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1576437693.00000117642B8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1609166594.00000117642B9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: 8*://www.facebook.com/* equals www.facebook.com (Facebook)
    Source: firefox.exe, 0000000E.00000003.1621978962.0000011767ED2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1544611714.0000011767ED2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1573708146.0000011767ED2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: 8*://www.youtube.com/* equals www.youtube.com (Youtube)
    Source: firefox.exe, 0000000E.00000003.1542695764.0000011768299000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1543769175.0000011768259000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1581929813.000001175DA8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: 8https://www.facebook.com/ equals www.facebook.com (Facebook)
    Source: firefox.exe, 0000000E.00000003.1542695764.0000011768299000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1581929813.000001175DA8C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1571961254.0000011768299000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: 8https://www.youtube.com/ equals www.youtube.com (Youtube)
    Source: firefox.exe, 0000000E.00000003.1607639276.0000011764A84000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1546588063.0000011767E8D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: 8www.facebook.com equals www.facebook.com (Facebook)
    Source: firefox.exe, 0000000E.00000003.1621978962.0000011767ED2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1544611714.0000011767ED2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1573708146.0000011767ED2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: 8www.youtube.com equals www.youtube.com (Youtube)
    Source: firefox.exe, 0000000E.00000003.1445367988.000001175CF64000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: SERP Ad Telemetry Rolloutcsv-import-release-rolloutKey must be non empty string.WillChangeBrowserRemotenesshttps://www.amazon.co.uk/CSV Import (Release Rollout)serpEventTelemetryEnabledupgrade-spotlight-rolloutreloadWithHttpsOnlyExceptionmessage-manager-disconnecthttps://www.aliexpress.com/getFailedCertSecurityInfohttps://www.wikipedia.org/requestStorageAccessUnderSiteserp-ad-telemetry-rollouthttps://www.facebook.com/updateSessionStoreForStoragehttps://www.wikipedia.org/upgrade-spotlight-rolloutserp-ad-telemetry-rolloutDidChangeBrowserRemotenessdocument-element-insertedcsv-import-release-rolloutrs-experiment-loader-timer equals www.facebook.com (Facebook)
    Source: firefox.exe, 0000000E.00000003.1590198631.000001175D317000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: `https://www.facebook.com/ equals www.facebook.com (Facebook)
    Source: firefox.exe, 0000000E.00000003.1590198631.000001175D317000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: `https://www.youtube.com/ equals www.youtube.com (Youtube)
    Source: firefox.exe, 0000000E.00000003.1615545224.000001175E052000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://vk.com/,https://www.youtube.com/,https://ok.ru/,https://www.avito.ru/,https://www.aliexpress.com/,https://www.wikipedia.org/ equals www.youtube.com (Youtube)
    Source: firefox.exe, 0000000E.00000003.1542695764.0000011768299000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1543769175.0000011768259000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1581929813.000001175DA8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
    Source: firefox.exe, 0000000E.00000003.1542695764.0000011768299000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1581929813.000001175DA8C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1571961254.0000011768299000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
    Source: firefox.exe, 0000000E.00000003.1615545224.000001175E052000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.facebook.com (Facebook)
    Source: firefox.exe, 0000000E.00000003.1615545224.000001175E052000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.youtube.com (Youtube)
    Source: firefox.exe, 0000000E.00000003.1615545224.000001175E052000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.facebook.com (Facebook)
    Source: firefox.exe, 0000000E.00000003.1615545224.000001175E052000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.twitter.com (Twitter)
    Source: firefox.exe, 0000000E.00000003.1615545224.000001175E052000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.youtube.com (Youtube)
    Source: firefox.exe, 0000000E.00000003.1615545224.000001175E052000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.facebook.com (Facebook)
    Source: firefox.exe, 0000000E.00000003.1615545224.000001175E052000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.youtube.com (Youtube)
    Source: firefox.exe, 0000000E.00000003.1615545224.000001175E052000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.facebook.com (Facebook)
    Source: firefox.exe, 0000000E.00000003.1615545224.000001175E052000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.youtube.com (Youtube)
    Source: firefox.exe, 0000000E.00000003.1615545224.000001175E052000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.facebook.com (Facebook)
    Source: firefox.exe, 0000000E.00000003.1615545224.000001175E052000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.twitter.com (Twitter)
    Source: firefox.exe, 0000000E.00000003.1615545224.000001175E052000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.youtube.com (Youtube)
    Source: firefox.exe, 0000000E.00000003.1615545224.000001175E052000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.facebook.com (Facebook)
    Source: firefox.exe, 0000000E.00000003.1615545224.000001175E052000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.twitter.com (Twitter)
    Source: firefox.exe, 0000000E.00000003.1615545224.000001175E052000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.youtube.com (Youtube)
    Source: firefox.exe, 0000000E.00000003.1615545224.000001175E052000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.facebook.com (Facebook)
    Source: firefox.exe, 0000000E.00000003.1615545224.000001175E052000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.twitter.com (Twitter)
    Source: firefox.exe, 0000000E.00000003.1615545224.000001175E052000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.youtube.com (Youtube)
    Source: firefox.exe, 0000000E.00000003.1595323217.0000011759EF6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1615545224.000001175E052000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2618028535.000001BBBB603000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
    Source: firefox.exe, 0000000E.00000003.1595323217.0000011759EF6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1615545224.000001175E052000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2618028535.000001BBBB603000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
    Source: firefox.exe, 0000000E.00000003.1595323217.0000011759EF6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1615545224.000001175E052000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2618028535.000001BBBB603000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
    Source: firefox.exe, 0000000E.00000003.1544611714.0000011767EAC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1573708146.0000011767EAC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1621978962.0000011767EAC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: moz-extension://6ce79cb5-15f7-4802-bae6-9c49e29d85ec/injections/js/bug1842437-www.youtube.com-performance-now-precision.js equals www.youtube.com (Youtube)
    Source: firefox.exe, 0000000E.00000003.1595323217.0000011759EB6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1590457510.000001175D1A5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1607639276.0000011764A84000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
    Source: firefox.exe, 0000000E.00000003.1621978962.0000011767ED2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1590457510.000001175D1A5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1597430981.0000011757ED8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)
    Source: firefox.exe, 0000000E.00000003.1616745609.000001175DCB8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1586858972.000001175DCAE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1590850308.000001175DCAE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: x*://www.facebook.com/platform/impression.php* equals www.facebook.com (Facebook)
    Source: global trafficDNS traffic detected: DNS query: detectportal.firefox.com
    Source: global trafficDNS traffic detected: DNS query: youtube.com
    Source: global trafficDNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
    Source: global trafficDNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
    Source: global trafficDNS traffic detected: DNS query: contile.services.mozilla.com
    Source: global trafficDNS traffic detected: DNS query: spocs.getpocket.com
    Source: global trafficDNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net
    Source: global trafficDNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
    Source: global trafficDNS traffic detected: DNS query: content-signature-2.cdn.mozilla.net
    Source: global trafficDNS traffic detected: DNS query: prod.content-signature-chains.prod.webservices.mozgcp.net
    Source: global trafficDNS traffic detected: DNS query: shavar.services.mozilla.com
    Source: global trafficDNS traffic detected: DNS query: example.org
    Source: global trafficDNS traffic detected: DNS query: ipv4only.arpa
    Source: global trafficDNS traffic detected: DNS query: push.services.mozilla.com
    Source: global trafficDNS traffic detected: DNS query: firefox.settings.services.mozilla.com
    Source: global trafficDNS traffic detected: DNS query: prod.remote-settings.prod.webservices.mozgcp.net
    Source: global trafficDNS traffic detected: DNS query: telemetry-incoming.r53-2.services.mozilla.com
    Source: global trafficDNS traffic detected: DNS query: support.mozilla.org
    Source: global trafficDNS traffic detected: DNS query: us-west1.prod.sumo.prod.webservices.mozgcp.net
    Source: global trafficDNS traffic detected: DNS query: www.facebook.com
    Source: global trafficDNS traffic detected: DNS query: www.youtube.com
    Source: global trafficDNS traffic detected: DNS query: www.wikipedia.org
    Source: global trafficDNS traffic detected: DNS query: youtube-ui.l.google.com
    Source: global trafficDNS traffic detected: DNS query: star-mini.c10r.facebook.com
    Source: global trafficDNS traffic detected: DNS query: dyna.wikimedia.org
    Source: global trafficDNS traffic detected: DNS query: www.reddit.com
    Source: global trafficDNS traffic detected: DNS query: twitter.com
    Source: global trafficDNS traffic detected: DNS query: reddit.map.fastly.net
    Source: global trafficDNS traffic detected: DNS query: services.addons.mozilla.org
    Source: global trafficDNS traffic detected: DNS query: normandy.cdn.mozilla.net
    Source: global trafficDNS traffic detected: DNS query: normandy-cdn.services.mozilla.com
    Source: firefox.exe, 0000000E.00000003.1595113250.000001175B67B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1611632931.0000011764055000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1615545224.000001175E052000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2623815349.000001E59F100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2622424834.000001BBBBB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2623663375.000001FF30950000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: http://127.0.0.1:
    Source: firefox.exe, 0000000E.00000003.1601574102.000001176455E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://a9.com/-/spec/opensearch/1.0/
    Source: firefox.exe, 0000000E.00000003.1601574102.000001176455E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://a9.com/-/spec/opensearch/1.1/
    Source: firefox.exe, 0000000E.00000003.1601574102.000001176455E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://a9.com/-/spec/opensearchdescription/1.0/
    Source: firefox.exe, 0000000E.00000003.1601574102.000001176455E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://a9.com/-/spec/opensearchdescription/1.1/
    Source: firefox.exe, 0000000E.00000003.1491804014.000001175B550000.00000004.00000020.00020000.00000000.sdmp, gmpopenh264.dll.tmp.14.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
    Source: firefox.exe, 0000000E.00000003.1483732238.000001175B562000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
    Source: firefox.exe, 0000000E.00000003.1592329803.000001175C2E9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
    Source: firefox.exe, 0000000E.00000003.1592329803.000001175C2E9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
    Source: firefox.exe, 0000000E.00000003.1483732238.000001175B562000.00000004.00000020.00020000.00000000.sdmp, gmpopenh264.dll.tmp.14.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
    Source: firefox.exe, 0000000E.00000003.1483732238.000001175B562000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
    Source: firefox.exe, 0000000E.00000003.1483732238.000001175B562000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
    Source: firefox.exe, 0000000E.00000003.1595323217.0000011759EA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://compose.mail.yahoo.co.jp/ym/Compose?To=%ss
    Source: firefox.exe, 0000000E.00000003.1592329803.000001175C2E9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
    Source: gmpopenh264.dll.tmp.14.drString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
    Source: firefox.exe, 0000000E.00000003.1483732238.000001175B562000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
    Source: firefox.exe, 0000000E.00000003.1491804014.000001175B550000.00000004.00000020.00020000.00000000.sdmp, gmpopenh264.dll.tmp.14.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
    Source: firefox.exe, 0000000E.00000003.1592329803.000001175C2E9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
    Source: firefox.exe, 0000000E.00000003.1592329803.000001175C2E9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
    Source: firefox.exe, 0000000E.00000003.1483732238.000001175B562000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
    Source: firefox.exe, 0000000E.00000003.1483732238.000001175B562000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
    Source: gmpopenh264.dll.tmp.14.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
    Source: firefox.exe, 0000000E.00000003.1491804014.000001175B550000.00000004.00000020.00020000.00000000.sdmp, gmpopenh264.dll.tmp.14.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
    Source: firefox.exe, 0000000E.00000003.1592329803.000001175C2E9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
    Source: gmpopenh264.dll.tmp.14.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
    Source: firefox.exe, 0000000E.00000003.1592329803.000001175C2E9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
    Source: firefox.exe, 0000000E.00000003.1542695764.000001176827C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1584366631.000001175DA8C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1588143532.000001175D86E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1587522887.000001175D8BB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1542647058.00000117682E2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1587259918.000001175DA8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://detectportal.firefox.com
    Source: firefox.exe, 0000000E.00000003.1576437693.00000117642D2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1591439533.000001175D8F9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1544558015.0000011767EFA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2623815349.000001E59F100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2622424834.000001BBBBB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2623663375.000001FF30950000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: http://detectportal.firefox.com/canonical.html
    Source: firefox.exe, 0000000E.00000003.1576818484.000001176413A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2623815349.000001E59F100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2622424834.000001BBBBB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2623663375.000001FF30950000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: http://detectportal.firefox.com/success.txt?ipv4
    Source: firefox.exe, 0000000E.00000003.1576818484.000001176413A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2623815349.000001E59F100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2622424834.000001BBBBB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2623663375.000001FF30950000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: http://detectportal.firefox.com/success.txt?ipv6
    Source: firefox.exe, 0000000E.00000003.1628070910.000001175D1E7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1590457510.000001175D1E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://json-schema.org/draft-04/schema#
    Source: firefox.exe, 0000000E.00000003.1628070910.000001175D1E7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1590457510.000001175D1E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://json-schema.org/draft-06/schema#
    Source: firefox.exe, 0000000E.00000003.1628070910.000001175D1E7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1590457510.000001175D1E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://json-schema.org/draft-07/schema#-
    Source: firefox.exe, 0000000E.00000003.1628070910.000001175D1E7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1590457510.000001175D1E7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1511661117.0000011765DA6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mozilla.org
    Source: firefox.exe, 0000000E.00000003.1549433566.0000011764182000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1518465499.000001175D0A1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1556213710.000001175DCE2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1585482009.000001175C31F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1555623445.000001175E1BF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1582535165.000001175DB43000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1510551041.000001175D09D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1519636785.0000011764315000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1595323217.0000011759EB6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1506324855.000001175DBAF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1517910570.000001175B2FC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1567186187.000001175D0AB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1545540793.000001175DB78000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1579462149.000001175DD31000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1594557892.000001175BEBE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1506825569.000001175DB71000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1520355193.000001175F5DF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1585620429.000001175C08E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1510551041.000001175D0A1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1552326270.000001175F272000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1472700511.000001175D0A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mozilla.org/MPL/2.0/.
    Source: firefox.exe, 0000000E.00000003.1592329803.000001175C2E9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
    Source: firefox.exe, 0000000E.00000003.1483732238.000001175B562000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
    Source: firefox.exe, 0000000E.00000003.1491804014.000001175B550000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1483732238.000001175B562000.00000004.00000020.00020000.00000000.sdmp, gmpopenh264.dll.tmp.14.drString found in binary or memory: http://ocsp.digicert.com0C
    Source: firefox.exe, 0000000E.00000003.1483732238.000001175B562000.00000004.00000020.00020000.00000000.sdmp, gmpopenh264.dll.tmp.14.drString found in binary or memory: http://ocsp.digicert.com0N
    Source: firefox.exe, 0000000E.00000003.1483732238.000001175B562000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0X
    Source: firefox.exe, 0000000E.00000003.1592329803.000001175C2E9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
    Source: gmpopenh264.dll.tmp.14.drString found in binary or memory: http://ocsp.thawte.com0
    Source: firefox.exe, 0000000E.00000003.1595323217.0000011759EA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://poczta.interia.pl/mh/?mailto=%sw
    Source: firefox.exe, 0000000E.00000003.1549872314.0000011764144000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://r3.i.lencr.org/0.
    Source: firefox.exe, 0000000E.00000003.1549872314.0000011764144000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://r3.i.lencr.org/0W
    Source: firefox.exe, 0000000E.00000003.1549872314.0000011764144000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://r3.o.lencr.org0
    Source: gmpopenh264.dll.tmp.14.drString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
    Source: gmpopenh264.dll.tmp.14.drString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
    Source: gmpopenh264.dll.tmp.14.drString found in binary or memory: http://ts-ocsp.ws.symantec.com07
    Source: firefox.exe, 0000000E.00000003.1595323217.0000011759EA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://win.mail.ru/cgi-bin/sentmsg?mailto=%sy
    Source: firefox.exe, 0000000E.00000003.1595323217.0000011759EA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.inbox.lv/rfc2368/?value=%su
    Source: firefox.exe, 0000000E.00000003.1485448285.000001175B562000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1483732238.000001175B562000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1484377752.000001175B565000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.c
    Source: gmpopenh264.dll.tmp.14.drString found in binary or memory: http://www.mozilla.com0
    Source: firefox.exe, 0000000E.00000003.1607275205.0000011765E35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.mozilla.org/2005/app-updatex
    Source: firefox.exe, 0000000E.00000003.1601574102.000001176455E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.mozilla.org/2006/browser/search/
    Source: firefox.exe, 0000000E.00000003.1593773844.000001175C1AD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1555623445.000001175E1B8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1594364085.000001175C180000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1595323217.0000011759EB6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1584645354.000001175DA64000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1588762400.000001175D699000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1593773844.000001175C1C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul
    Source: mozilla-temp-41.14.drString found in binary or memory: http://www.videolan.org/x264.html
    Source: firefox.exe, 0000000E.00000003.1592329803.000001175C2E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1549872314.0000011764144000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
    Source: firefox.exe, 0000000E.00000003.1592329803.000001175C2E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1549872314.0000011764144000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
    Source: firefox.exe, 00000010.00000002.2623815349.000001E59F100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2622424834.000001BBBBB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2623663375.000001FF30950000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://%LOCALE%.malware-error.mozilla.com/?url=
    Source: firefox.exe, 00000010.00000002.2623815349.000001E59F100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2622424834.000001BBBBB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2623663375.000001FF30950000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://%LOCALE%.phish-error.mozilla.com/?url=
    Source: firefox.exe, 00000010.00000002.2623815349.000001E59F100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2622424834.000001BBBBB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2623663375.000001FF30950000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://%LOCALE%.phish-report.mozilla.com/?url=
    Source: firefox.exe, 0000000E.00000003.1418857928.000001175B91B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1419733855.000001175B97C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1419583867.000001175B967000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1419100634.000001175B934000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1419440141.000001175B94D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1418222719.000001175B700000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.duckduckgo.com/ac/
    Source: firefox.exe, 0000000E.00000003.1550108167.0000011764090000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1610952868.0000011764090000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1577147529.0000011764090000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://account.bellmedia.c
    Source: firefox.exe, 0000000E.00000003.1600494524.0000011767983000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://accounts.firefox.com
    Source: firefox.exe, 0000000E.00000003.1551280237.000001175F7F0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2623815349.000001E59F100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2622424834.000001BBBBB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2623663375.000001FF30950000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://accounts.firefox.com/
    Source: firefox.exe, 00000010.00000002.2623815349.000001E59F100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2622424834.000001BBBBB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2623663375.000001FF30950000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://accounts.firefox.com/settings/clients
    Source: firefox.exe, 0000000E.00000003.1518465499.000001175D0B6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1587522887.000001175D8F9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1535547889.000001175F599000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1472700511.000001175D0B0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1536456570.000001175D0B7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1591439533.000001175D8F9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1513364915.000001175F596000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1525154960.000001175D0B6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/v3/signin/challenge/pwd
    Source: firefox.exe, 0000000E.00000003.1595323217.0000011759EF6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://addons.mozilla.org
    Source: firefox.exe, 00000010.00000002.2623815349.000001E59F100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2622424834.000001BBBBB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2623663375.000001FF30950000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://addons.mozilla.org/%LOCALE%/%APP%/blocked-addon/%addonID%/%addonVersion%/
    Source: firefox.exe, 00000010.00000002.2623815349.000001E59F100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2622424834.000001BBBBB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2623663375.000001FF30950000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/
    Source: firefox.exe, 00000010.00000002.2623815349.000001E59F100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2622424834.000001BBBBB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2623663375.000001FF30950000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/language-tools/
    Source: firefox.exe, 00000010.00000002.2623815349.000001E59F100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2622424834.000001BBBBB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2623663375.000001FF30950000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/search-engines/
    Source: firefox.exe, 00000010.00000002.2623815349.000001E59F100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2622424834.000001BBBBB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2623663375.000001FF30950000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/search?q=%TERMS%&platform=%OS%&appver=%VERSION%
    Source: firefox.exe, 00000010.00000002.2623815349.000001E59F100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2622424834.000001BBBBB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2623663375.000001FF30950000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/themes
    Source: firefox.exe, 0000000E.00000003.1584816930.000001175DA51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ads-us.rd.linksynergy.com/as.php
    Source: firefox.exe, 0000000E.00000003.1585054705.000001175DA30000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1466939019.000001175DAA5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ads.stickyadstv.com/firefox-etp
    Source: firefox.exe, 0000000E.00000003.1555951897.000001175E17C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://allegro.pl/
    Source: firefox.exe, 00000010.00000002.2623815349.000001E59F100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2622424834.000001BBBBB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2623663375.000001FF30950000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://api.accounts.firefox.com/v1
    Source: firefox.exe, 00000010.00000002.2623815349.000001E59F100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2622424834.000001BBBBB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2623663375.000001FF30950000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://apps.apple.com/app/firefox-private-safe-browser/id989804926
    Source: firefox.exe, 00000010.00000002.2623815349.000001E59F100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2622424834.000001BBBBB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2623663375.000001FF30950000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://apps.apple.com/us/app/firefox-private-network-vpn/id1489407738
    Source: firefox.exe, 0000000E.00000003.1596226988.0000011759E56000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aus5.mozilla.org
    Source: firefox.exe, 0000000E.00000003.1631557267.000001175C555000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aus5.mozilla.org/
    Source: firefox.exe, 00000010.00000002.2623815349.000001E59F100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2622424834.000001BBBBB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2623663375.000001FF30950000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://aus5.mozilla.org/update/3/GMP/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%OS_VER
    Source: firefox.exe, 00000010.00000002.2623815349.000001E59F100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2622424834.000001BBBBB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2623663375.000001FF30950000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://aus5.mozilla.org/update/3/SystemAddons/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL
    Source: firefox.exe, 0000000E.00000003.1595767713.00000117642D2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1588680954.000001175D811000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1547567359.000001176799F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1576437693.00000117642D2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1609069790.00000117642E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1466359594.00000117642D0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1591733211.000001175D811000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aus5.mozilla.org/update/6/Firefox/118.0.1/20230927232528/WINNT_x86_64-msvc-x64/en-US/release
    Source: firefox.exe, 00000010.00000002.2623815349.000001E59F100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2622424834.000001BBBBB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2623663375.000001FF30950000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://blocked.cdn.mozilla.net/
    Source: firefox.exe, 00000010.00000002.2623815349.000001E59F100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2622424834.000001BBBBB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2623663375.000001FF30950000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://blocked.cdn.mozilla.net/%blockID%.html
    Source: firefox.exe, 00000010.00000002.2620621261.000001E59F0CB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2618028535.000001BBBB6EA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.2623975465.000001FF30A03000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.14.drString found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696495411400900000.2&ci=1696495411208.
    Source: firefox.exe, 00000010.00000002.2620621261.000001E59F0CB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2618028535.000001BBBB6EA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.2623975465.000001FF30A03000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.14.drString found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696495411400900000.1&ci=1696495411208.12791&cta
    Source: firefox.exe, 0000000E.00000003.1622375559.00000117676BD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bugzilla.mo
    Source: firefox.exe, 0000000E.00000003.1475151375.0000011765C44000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1170143
    Source: firefox.exe, 0000000E.00000003.1475105659.0000011765C63000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1475016021.0000011765C49000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1189266
    Source: firefox.exe, 0000000E.00000003.1475105659.0000011765C63000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1475016021.0000011765C49000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1193802
    Source: firefox.exe, 0000000E.00000003.1475326815.0000011765C4E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1475151375.0000011765C44000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1476061182.0000011765C55000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1475016021.0000011765C49000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1207993
    Source: firefox.exe, 0000000E.00000003.1475151375.0000011765C44000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1475016021.0000011765C49000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1475283867.0000011765C3C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1266220
    Source: firefox.exe, 0000000E.00000003.1475105659.0000011765C63000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1475016021.0000011765C49000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1283601
    Source: firefox.exe, 0000000E.00000003.1442398415.000001175F7D4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1551280237.000001175F7D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1539075
    Source: firefox.exe, 0000000E.00000003.1442398415.000001175F7D4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1551280237.000001175F7D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1584464
    Source: firefox.exe, 0000000E.00000003.1442398415.000001175F7D4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1551280237.000001175F7D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1607439
    Source: firefox.exe, 0000000E.00000003.1442398415.000001175F7D4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1551280237.000001175F7D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1616739
    Source: firefox.exe, 0000000E.00000003.1475326815.0000011765C4E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1475151375.0000011765C44000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1475105659.0000011765C63000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1475016021.0000011765C49000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1475283867.0000011765C3C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1678448
    Source: firefox.exe, 0000000E.00000003.1579462149.000001175DD31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1694699#c21
    Source: firefox.exe, 0000000E.00000003.1475326815.0000011765C4E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1475151375.0000011765C44000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1476061182.0000011765C55000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1475016021.0000011765C49000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=792480
    Source: firefox.exe, 0000000E.00000003.1475151375.0000011765C44000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=793869
    Source: firefox.exe, 0000000E.00000003.1475326815.0000011765C4E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1475151375.0000011765C44000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1475016021.0000011765C49000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=809550
    Source: firefox.exe, 0000000E.00000003.1475326815.0000011765C4E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1475151375.0000011765C44000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1475016021.0000011765C49000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=840161
    Source: firefox.exe, 00000010.00000002.2623815349.000001E59F100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2622424834.000001BBBBB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2623663375.000001FF30950000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f
    Source: firefox.exe, 0000000E.00000003.1418857928.000001175B91B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1419733855.000001175B97C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1419583867.000001175B967000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1419100634.000001175B934000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1419440141.000001175B94D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1418222719.000001175B700000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://completion.amazon.com/search/complete?q=
    Source: firefox.exe, 0000000E.00000003.1588924053.000001175D656000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1626230870.000001175D657000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://content-signature-2.cdn.mozilla.net
    Source: firefox.exe, 0000000E.00000003.1626230870.000001175D665000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://content-signature-2.cdn.mozilla.net/
    Source: firefox.exe, 0000000E.00000003.1595767713.00000117642D2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1576437693.00000117642D2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1609069790.00000117642E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1466359594.00000117642D0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://content-signature-2.cdn.mozilla.net/chains/remote-settings.content-signature.mozilla.org-202
    Source: firefox.exe, 00000010.00000002.2623815349.000001E59F100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2622424834.000001BBBBB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2623663375.000001FF30950000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://content.cdn.mozilla.net
    Source: firefox.exe, 00000010.00000002.2620621261.000001E59F0CB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2618028535.000001BBBB6EA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.2623975465.000001FF30A03000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.14.drString found in binary or memory: https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg
    Source: firefox.exe, 00000010.00000002.2620621261.000001E59F0CB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2618028535.000001BBBB6EA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.2623975465.000001FF30A03000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.14.drString found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
    Source: firefox.exe, 0000000E.00000003.1554648937.000001175E299000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1609546854.000001176427F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contile.services.mozilla.com
    Source: firefox.exe, 0000000E.00000003.1609546854.000001176427F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contile.services.mozilla.com/
    Source: firefox.exe, 0000000E.00000003.1611828370.000001175F7DF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2623815349.000001E59F100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2622424834.000001BBBBB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2623663375.000001FF30950000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://contile.services.mozilla.com/v1/tiles
    Source: firefox.exe, 00000010.00000002.2623815349.000001E59F100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2622424834.000001BBBBB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2623663375.000001FF30950000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://coverage.mozilla.org
    Source: firefox.exe, 00000010.00000002.2623815349.000001E59F100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2622424834.000001BBBBB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2623663375.000001FF30950000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://crash-stats.mozilla.org/report/index/
    Source: firefox.exe, 0000000E.00000003.1519636785.000001176433A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://crbug.com/993268
    Source: firefox.exe, 00000010.00000002.2623815349.000001E59F100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2622424834.000001BBBBB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2623663375.000001FF30950000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://dap-02.api.divviup.org
    Source: firefox.exe, 0000000E.00000003.1584816930.000001175DA51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://datastudio.google.com/embed/reporting/
    Source: firefox.exe, 0000000E.00000003.1574438687.0000011767E08000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTabMozRequestFullSc
    Source: firefox.exe, 0000000E.00000003.1574438687.0000011767E06000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://developer.mozilla.org/docs/Web/API/Element/releasePointerCapture
    Source: firefox.exe, 0000000E.00000003.1574438687.0000011767E0C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://developer.mozilla.org/docs/Web/API/Element/releasePointerCaptureWebExtensionUncheckedLastErr
    Source: firefox.exe, 0000000E.00000003.1574438687.0000011767E06000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://developer.mozilla.org/docs/Web/API/Element/setPointerCaptureElementReleaseCaptureWarningElem
    Source: firefox.exe, 0000000E.00000003.1574438687.0000011767E0C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://developer.mozilla.org/docs/Web/API/Push_API/Using_the_Push_API#EncryptionPreventDefaultFromP
    Source: firefox.exe, 0000000E.00000003.1537614959.000001175DB27000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://developer.mozilla.org/en-US/docs/Mozilla/Tech/XPCOM/Reference/Interface/nsIEffectiveTLDServi
    Source: firefox.exe, 0000000E.00000003.1519636785.000001176433A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/API/ElementCSSInlineStyle/style#setting_styles)
    Source: firefox.exe, 0000000E.00000003.1519636785.000001176433A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Statements/for-await...of
    Source: firefox.exe, 0000000E.00000003.1519636785.000001176433A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl
    Source: firefox.exe, 00000010.00000002.2623815349.000001E59F100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2622424834.000001BBBBB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2623663375.000001FF30950000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://developers.google.com/safe-browsing/v4/advisory
    Source: firefox.exe, 0000000E.00000003.1536625545.000001175DDF8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1418857928.000001175B91B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1510241422.000001175DDF8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1472261839.000001175DDF8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1419733855.000001175B97C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1419583867.000001175B967000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1475413886.000001175DDF8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1419100634.000001175B934000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1586858972.000001175DCCD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1419440141.000001175B94D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1590850308.000001175DCCD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1418222719.000001175B700000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1556297977.000001175DCCD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1616559452.000001175DCD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/
    Source: firefox.exe, 0000000E.00000003.1445367988.000001175CF64000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/y
    Source: firefox.exe, 0000000E.00000003.1595323217.0000011759EA1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1420884359.000001175B133000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1529172822.000001175B131000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1507805926.000001175B10F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://e.mail.ru/cgi-bin/sentmsg?mailto=%s
    Source: firefox.exe, 0000000E.00000003.1595323217.0000011759EA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://e.mail.ru/cgi-bin/sentmsg?mailto=%sz
    Source: firefox.exe, 0000000E.00000003.1595323217.0000011759EA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://e.mail.ru/cgi-bin/sentmsg?mailto=%szw
    Source: firefox.exe, 0000000E.00000003.1595323217.0000011759EA1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1420884359.000001175B133000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1529172822.000001175B131000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1507805926.000001175B10F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://email.seznam.cz/newMessageScreen?mailto=%s
    Source: firefox.exe, 0000000E.00000003.1574438687.0000011767E0C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://extensionworkshop.com/documentation/publish/self-distribution/SelectOptionsLengthAssignmentW
    Source: firefox.exe, 0000000E.00000003.1623471754.000001175F75A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1442398415.000001175F75A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1607070018.0000011765ED6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2618028535.000001BBBB612000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.2618073891.000001FF30713000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://firefox-api-proxy.cdn.mozilla.net/
    Source: firefox.exe, 0000000E.00000003.1446025262.000001175C952000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1447766525.0000011765DCA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://firefox-settings-attachments.cdn.mozilla.net/main-workspace/ms-images/673d2808-e5d8-41b9-957
    Source: firefox.exe, 0000000E.00000003.1446025262.000001175C952000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1448460001.000001175C963000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://firefox-settings-attachments.cdn.mozilla.net/main-workspace/ms-images/706c7a85-cf23-442e-8a9
    Source: firefox.exe, 0000000E.00000003.1447766525.0000011765DCA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://firefox-settings-attachments.cdn.mozilla.net/main-workspace/ms-images/d8e772fe-4909-4f05-9f9
    Source: firefox.exe, 00000010.00000002.2623815349.000001E59F100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2622424834.000001BBBBB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2623663375.000001FF30950000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://firefox-source-docs.mozilla.org/networking/dns/trr-skip-reasons.html#
    Source: firefox.exe, 0000000E.00000003.1547197439.00000117679DB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/
    Source: firefox.exe, 0000000E.00000003.1596442007.0000011758B55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://fpn.firefox.com
    Source: firefox.exe, 00000010.00000002.2623815349.000001E59F100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2622424834.000001BBBBB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2623663375.000001FF30950000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://fpn.firefox.com/browser?utm_source=firefox-desktop&utm_medium=referral&utm_campaign=about-pr
    Source: firefox.exe, 00000010.00000002.2623815349.000001E59F100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2622424834.000001BBBBB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2623663375.000001FF30950000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://ftp.mozilla.org/pub/labs/devtools/adb-extension/#OS#/adb-extension-latest-#OS#.xpi
    Source: firefox.exe, 0000000E.00000003.1623471754.000001175F75A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1442398415.000001175F75A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1607070018.0000011765ED6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2618028535.000001BBBB612000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.2618073891.000001FF30713000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://getpocket.cdn.mozilla.net/
    Source: firefox.exe, 00000013.00000002.2618073891.000001FF307C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=
    Source: firefox.exe, 00000013.00000002.2618073891.000001FF307C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l
    Source: firefox.exe, 00000013.00000002.2618073891.000001FF30730000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://getpocket.cdn.mozilla.net/v3/newtab/layout?version=1&consumer_key=$apiKey&layout_variant=bas
    Source: firefox.exe, 0000000E.00000003.1603762860.0000011767F94000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://getpocket.com/explore/career?utm_source=pocket-newtab
    Source: firefox.exe, 0000000E.00000003.1623268141.0000011764247000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1609670342.0000011764244000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://getpocket.com/explore/career?utm_source=pocket-newtabL
    Source: firefox.exe, 0000000E.00000003.1603762860.0000011767F94000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://getpocket.com/explore/entertainment?utm_source=pocket-newtab
    Source: firefox.exe, 0000000E.00000003.1623268141.0000011764247000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1609670342.0000011764244000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://getpocket.com/explore/entertainment?utm_source=pocket-newtabC
    Source: firefox.exe, 0000000E.00000003.1623268141.0000011764247000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1609670342.0000011764244000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://getpocket.com/explore/food?utm_source=pocket-newtabA
    Source: firefox.exe, 0000000E.00000003.1603762860.0000011767F94000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://getpocket.com/explore/health?utm_source=pocket-newtab
    Source: firefox.exe, 0000000E.00000003.1623268141.0000011764247000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1609670342.0000011764244000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://getpocket.com/explore/health?utm_source=pocket-newtabE
    Source: firefox.exe, 0000000E.00000003.1603762860.0000011767F94000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://getpocket.com/explore/science?utm_source=pocket-newtab
    Source: firefox.exe, 0000000E.00000003.1623268141.0000011764247000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1609670342.0000011764244000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://getpocket.com/explore/science?utm_source=pocket-newtabG
    Source: firefox.exe, 0000000E.00000003.1623268141.0000011764247000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1609670342.0000011764244000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://getpocket.com/explore/self-improvement?utm_source=pocket-newtab?
    Source: firefox.exe, 0000000E.00000003.1603762860.0000011767F94000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://getpocket.com/explore/technology?utm_source=pocket-newtab
    Source: firefox.exe, 0000000E.00000003.1623268141.0000011764247000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1609670342.0000011764244000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://getpocket.com/explore/technology?utm_source=pocket-newtabN
    Source: firefox.exe, 00000013.00000002.2618073891.000001FF307C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://getpocket.com/explore/trending?src=fx_new_tab
    Source: firefox.exe, 0000000E.00000003.1623471754.000001175F75A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1442398415.000001175F75A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://getpocket.com/explore/trending?src=fx_new_tabL
    Source: firefox.exe, 0000000E.00000003.1603762860.0000011767F94000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://getpocket.com/explore?utm_source=pocket-newtab
    Source: firefox.exe, 0000000E.00000003.1623268141.0000011764247000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1609670342.0000011764244000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://getpocket.com/explore?utm_source=pocket-newtabI
    Source: firefox.exe, 0000000E.00000003.1623351488.000001176420E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://getpocket.com/firefox/new_tab_learn_more
    Source: firefox.exe, 0000000E.00000003.1623268141.0000011764247000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1609670342.0000011764244000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://getpocket.com/firefox/new_tab_learn_more/
    Source: firefox.exe, 00000013.00000002.2618073891.000001FF307C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://getpocket.com/recommendations
    Source: firefox.exe, 0000000E.00000003.1623471754.000001175F75A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1442398415.000001175F75A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://getpocket.com/recommendationsS
    Source: firefox.exe, 0000000E.00000003.1623471754.000001175F75A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1442398415.000001175F75A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://getpocket.com/recommendationsS7
    Source: firefox.exe, 0000000E.00000003.1623471754.000001175F75A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1442398415.000001175F75A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://getpocket.com/v3/newtab/layout?version=1&consumer_key=$apiKey&layout_variant=basic
    Source: firefox.exe, 0000000E.00000003.1519636785.000001176433A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/google/closure-compiler/issues/3177
    Source: firefox.exe, 0000000E.00000003.1519636785.0000011764315000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/lit/lit/blob/main/packages/reactive-element/src/decorators/query-all.ts
    Source: firefox.exe, 0000000E.00000003.1519636785.0000011764315000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/lit/lit/blob/main/packages/reactive-element/src/decorators/query.ts
    Source: firefox.exe, 0000000E.00000003.1519636785.000001176433A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/lit/lit/issues/1266
    Source: firefox.exe, 0000000E.00000003.1519636785.000001176433A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/microsoft/TypeScript/issues/338).
    Source: firefox.exe, 0000000E.00000003.1418857928.000001175B91B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1419583867.000001175B967000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1419100634.000001175B934000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1419440141.000001175B94D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1418222719.000001175B700000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/mozilla-services/screenshots
    Source: firefox.exe, 0000000E.00000003.1606024271.0000011767C3C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/uuidjs/uuid#getrandomvalues-not-supported
    Source: firefox.exe, 0000000E.00000003.1442398415.000001175F7D4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1551280237.000001175F7D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/w3c/csswg-drafts/blob/master/css-grid-2/MASONRY-EXPLAINER.md
    Source: firefox.exe, 0000000E.00000003.1442398415.000001175F7D4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1551280237.000001175F7D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/w3c/csswg-drafts/issues/4650
    Source: firefox.exe, 0000000E.00000003.1623471754.000001175F75A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1442398415.000001175F75A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/zertosh/loose-envify)
    Source: firefox.exe, 0000000E.00000003.1442398415.000001175F7D4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1551280237.000001175F7D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gpuweb.github.io/gpuweb/
    Source: firefox.exe, 00000010.00000002.2623815349.000001E59F100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2622424834.000001BBBBB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2623663375.000001FF30950000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://helper1.dap.cloudflareresearch.com/v02
    Source: firefox.exe, 0000000E.00000003.1475326815.0000011765C4E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1475151375.0000011765C44000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1476061182.0000011765C55000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1475016021.0000011765C49000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1476620968.0000011765C59000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1623471754.000001175F7A9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1547899543.000001176763E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ib.absa.co.za/
    Source: firefox.exe, 00000010.00000002.2623815349.000001E59F100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2622424834.000001BBBBB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2623663375.000001FF30950000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://ideas.mozilla.org/
    Source: firefox.exe, 0000000E.00000003.1600557915.000001176796F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://identity.mozilla.com/apps/oldsyncS
    Source: firefox.exe, 0000000E.00000003.1581808244.000001175DA96000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1587259918.000001175DA96000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1584366631.000001175DA96000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://identity.mozilla.com/apps/relay
    Source: firefox.exe, 0000000E.00000003.1600557915.000001176796F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://identity.mozilla.com/cmd/H
    Source: firefox.exe, 0000000E.00000003.1600557915.000001176796F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://identity.mozilla.com/cmd/HCX
    Source: firefox.exe, 0000000E.00000003.1600557915.000001176796F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://identity.mozilla.com/ids/ecosystem_telemetryU
    Source: firefox.exe, 0000000E.00000003.1600557915.000001176796F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://identity.mozilla.com/ids/ecosystem_telemetryUFj
    Source: firefox.exe, 0000000E.00000003.1609748003.0000011764225000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://img-getpocket.cdn.mozilla.net/X
    Source: prefs-1.js.14.drString found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqd4plX4pbW1CbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
    Source: firefox.exe, 0000000E.00000003.1542545785.00000117682EE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2623815349.000001E59F100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2622424834.000001BBBBB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2623663375.000001FF30950000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://incoming.telemetry.mozilla.org
    Source: firefox.exe, 0000000E.00000003.1552706900.000001175F24D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2618028535.000001BBBB6EA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.2618073891.000001FF307F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://incoming.telemetry.mozilla.org/submit
    Source: firefox.exe, 0000000E.00000003.1574438687.0000011767E45000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://incoming.telemetry.mozilla.org/submit/firefox-desktop/events/1/698b39bc-f0a1-485a-834b-15098
    Source: firefox.exe, 0000000E.00000003.1583025650.0000011768189000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://incoming.telemetry.mozilla.org/submit/firefox-desktop/metrics/1/f8d9e3ee-ddf3-4de0-8bea-c253
    Source: firefox.exe, 0000000E.00000003.1582805975.0000011768270000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://incoming.telemetry.mozilla.org/submit/firefox-desktop/newtab/1/cb77fc44-213e-46f2-a233-e27b2
    Source: firefox.exe, 0000000E.00000003.1542695764.0000011768270000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1583025650.0000011768189000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1582805975.0000011768270000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://incoming.telemetry.mozilla.org/submit/messaging-system/undesired-events/1/19cc2278-504d-4817
    Source: firefox.exe, 0000000E.00000003.1542695764.0000011768270000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1583025650.0000011768189000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1582805975.0000011768270000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://incoming.telemetry.mozilla.org/submit/messaging-system/undesired-events/1/9877b67c-b9c3-4e9e
    Source: firefox.exe, 0000000E.00000003.1623471754.000001175F75A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1442398415.000001175F75A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://incoming.telemetry.mozilla.org/submits
    Source: firefox.exe, 0000000E.00000003.1519636785.000001176433A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://infra.spec.whatwg.org/#ascii-whitespace
    Source: firefox.exe, 00000010.00000002.2623815349.000001E59F100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2622424834.000001BBBBB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2623663375.000001FF30950000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://install.mozilla.org
    Source: firefox.exe, 0000000E.00000003.1601574102.000001176455E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1445367988.000001175CF64000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://json-schema.org/draft/2019-09/schema
    Source: firefox.exe, 0000000E.00000003.1628070910.000001175D1E7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1590457510.000001175D1E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://json-schema.org/draft/2019-09/schema.
    Source: firefox.exe, 0000000E.00000003.1628070910.000001175D1E7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1590457510.000001175D1E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://json-schema.org/draft/2019-09/schema./
    Source: firefox.exe, 0000000E.00000003.1628070910.000001175D1E7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1590457510.000001175D1E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://json-schema.org/draft/2020-12/schema/
    Source: firefox.exe, 0000000E.00000003.1628070910.000001175D1E7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1590457510.000001175D1E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://json-schema.org/draft/2020-12/schema/=
    Source: firefox.exe, 0000000E.00000003.1519636785.000001176433A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lit.dev/docs/libraries/standalone-templates/#rendering-lit-html-templates
    Source: firefox.exe, 0000000E.00000003.1519636785.000001176433A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lit.dev/docs/templates/directives/#stylemap
    Source: firefox.exe, 0000000E.00000003.1519636785.000001176433A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lit.dev/docs/templates/expressions/#child-expressions)
    Source: firefox.exe, 00000010.00000002.2623815349.000001E59F100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2622424834.000001BBBBB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2623663375.000001FF30950000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://location.services.mozilla.com/v1/country?key=%MOZILLA_API_KEY%
    Source: firefox.exe, 0000000E.00000003.1596442007.0000011758B70000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://location.services.mozilla.com/v1/country?key=7e40f68c-7938-4c5d-9f95-e61647c213eb
    Source: firefox.exe, 0000000E.00000003.1550108167.0000011764090000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1610952868.0000011764090000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1577147529.0000011764090000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://login.live.com
    Source: firefox.exe, 0000000E.00000003.1550108167.0000011764090000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1610952868.0000011764090000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1577147529.0000011764090000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com
    Source: firefox.exe, 0000000E.00000003.1584816930.000001175DA51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lookerstudio.google.com/embed/reporting/
    Source: firefox.exe, 0000000E.00000003.1595323217.0000011759EA1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1420884359.000001175B133000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1529172822.000001175B131000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1507805926.000001175B10F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://mail.google.com/mail/?extsrc=mailto&url=%s
    Source: firefox.exe, 0000000E.00000003.1595323217.0000011759EA1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1420884359.000001175B133000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1529172822.000001175B131000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1507805926.000001175B10F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://mail.inbox.lv/compose?to=%s
    Source: firefox.exe, 0000000E.00000003.1595323217.0000011759EA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://mail.inbox.lv/compose?to=%sv
    Source: firefox.exe, 0000000E.00000003.1595323217.0000011759EA1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1420884359.000001175B133000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1529172822.000001175B131000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1507805926.000001175B10F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://mail.yahoo.co.jp/compose/?To=%s
    Source: firefox.exe, 0000000E.00000003.1595323217.0000011759EA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://mail.yahoo.co.jp/compose/?To=%st
    Source: firefox.exe, 00000012.00000002.2618028535.000001BBBB685000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.2618073891.000001FF3078F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://merino.services.mozilla.com/api/v1/suggest
    Source: firefox.exe, 00000010.00000002.2623815349.000001E59F100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2622424834.000001BBBBB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2623663375.000001FF30950000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://mitmdetection.services.mozilla.com/
    Source: firefox.exe, 0000000E.00000003.1472700511.000001175D0A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://mochitest.youtube.com/
    Source: firefox.exe, 0000000E.00000003.1597430981.0000011757EBA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://monitor.firefox.com
    Source: firefox.exe, 00000010.00000002.2623815349.000001E59F100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2622424834.000001BBBBB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2623663375.000001FF30950000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections
    Source: firefox.exe, 00000010.00000002.2623815349.000001E59F100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2622424834.000001BBBBB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2623663375.000001FF30950000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://monitor.firefox.com/about
    Source: firefox.exe, 00000010.00000002.2623815349.000001E59F100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2622424834.000001BBBBB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2623663375.000001FF30950000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://monitor.firefox.com/breach-details/
    Source: firefox.exe, 00000010.00000002.2623815349.000001E59F100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2622424834.000001BBBBB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2623663375.000001FF30950000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect
    Source: firefox.exe, 00000010.00000002.2623815349.000001E59F100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2622424834.000001BBBBB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2623663375.000001FF30950000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://monitor.firefox.com/user/breach-stats?includeResolved=true
    Source: firefox.exe, 00000010.00000002.2623815349.000001E59F100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2622424834.000001BBBBB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2623663375.000001FF30950000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://monitor.firefox.com/user/dashboard
    Source: firefox.exe, 00000010.00000002.2623815349.000001E59F100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2622424834.000001BBBBB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2623663375.000001FF30950000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://monitor.firefox.com/user/preferences
    Source: firefox.exe, 00000010.00000002.2623815349.000001E59F100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2622424834.000001BBBBB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2623663375.000001FF30950000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://mozilla-ohttp-fakespot.fastly-edge.com/
    Source: firefox.exe, 00000010.00000002.2623815349.000001E59F100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2622424834.000001BBBBB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2623663375.000001FF30950000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://mozilla.cloudflare-dns.com/dns-query
    Source: firefox.exe, 0000000E.00000003.1483732238.000001175B562000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mozilla.org0/
    Source: firefox.exe, 00000010.00000002.2623815349.000001E59F100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2622424834.000001BBBBB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2623663375.000001FF30950000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://normandy.cdn.mozilla.net/api/v1
    Source: firefox.exe, 00000010.00000002.2623815349.000001E59F100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2622424834.000001BBBBB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2623663375.000001FF30950000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://oauth.accounts.firefox.com/v1
    Source: firefox.exe, 0000000E.00000003.1615545224.000001175E052000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ok.ru/
    Source: firefox.exe, 0000000E.00000003.1595323217.0000011759EA1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1420884359.000001175B133000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1529172822.000001175B131000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1507805926.000001175B10F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://outlook.live.com/default.aspx?rru=compose&to=%s
    Source: firefox.exe, 00000010.00000002.2623815349.000001E59F100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2622424834.000001BBBBB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2623663375.000001FF30950000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_r
    Source: firefox.exe, 00000010.00000002.2623815349.000001E59F100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2622424834.000001BBBBB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2623663375.000001FF30950000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-
    Source: firefox.exe, 0000000E.00000003.1472700511.000001175D0A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://play.hbomax.com/page/
    Source: firefox.exe, 0000000E.00000003.1472700511.000001175D0A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://play.hbomax.com/player/
    Source: firefox.exe, 0000000E.00000003.1595323217.0000011759EA1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1420884359.000001175B133000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1529172822.000001175B131000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1507805926.000001175B10F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://poczta.interia.pl/mh/?mailto=%s
    Source: firefox.exe, 0000000E.00000003.1595323217.0000011759EA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://poczta.interia.pl/mh/?mailto=%sx
    Source: firefox.exe, 00000010.00000002.2623815349.000001E59F100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2622424834.000001BBBBB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2623663375.000001FF30950000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://prod.ohttp-gateway.prod.webservices.mozgcp.net/ohttp-configs
    Source: firefox.exe, 00000010.00000002.2623815349.000001E59F100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2622424834.000001BBBBB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2623663375.000001FF30950000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://profile.accounts.firefox.com/v1
    Source: firefox.exe, 00000010.00000002.2623815349.000001E59F100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2622424834.000001BBBBB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2623663375.000001FF30950000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://profiler.firefox.com
    Source: firefox.exe, 0000000E.00000003.1596226988.0000011759E56000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://profiler.firefox.com/
    Source: firefox.exe, 0000000E.00000003.1597430981.0000011757EF1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://push.services.mozilla.com
    Source: firefox.exe, 0000000E.00000003.1626230870.000001175D665000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://push.services.mozilla.com/
    Source: firefox.exe, 0000000E.00000003.1442398415.000001175F75A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://redux.js.org/api-reference/store#subscribe(listener)
    Source: firefox.exe, 0000000E.00000003.1588680954.000001175D811000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1591733211.000001175D811000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2623815349.000001E59F100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2622424834.000001BBBBB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2623663375.000001FF30950000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://relay.firefox.com/accounts/profile/?utm_medium=firefox-desktop&utm_source=modal&utm_campaign
    Source: firefox.exe, 00000010.00000002.2623815349.000001E59F100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2622424834.000001BBBBB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2623663375.000001FF30950000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://relay.firefox.com/api/v1/
    Source: firefox.exe, 00000010.00000002.2623815349.000001E59F100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2622424834.000001BBBBB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2623663375.000001FF30950000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://safebrowsing.google.com/safebrowsing/diagnostic?site=
    Source: firefox.exe, 00000010.00000002.2623815349.000001E59F100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2622424834.000001BBBBB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2623663375.000001FF30950000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://safebrowsing.google.com/safebrowsing/downloads?client=SAFEBROWSING_ID&appver=%MAJOR_VERSION%
    Source: firefox.exe, 0000000E.00000003.1611632931.0000011764055000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://safebrowsing.google.com/safebrowsing/downloads?client=SAFEBROWSING_ID&appver=118.0&pver=2.2&
    Source: firefox.exe, 00000010.00000002.2623815349.000001E59F100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2622424834.000001BBBBB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2623663375.000001FF30950000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://safebrowsing.google.com/safebrowsing/gethash?client=SAFEBROWSING_ID&appver=%MAJOR_VERSION%&p
    Source: firefox.exe, 0000000E.00000003.1628070910.000001175D1E7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1590457510.000001175D1E7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://safebrowsing.google.com/safebrowsing/gethash?client=SAFEBROWSING_ID&appver=118.0&pver=2.2
    Source: firefox.exe, 00000010.00000002.2623815349.000001E59F100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2622424834.000001BBBBB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2623663375.000001FF30950000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://safebrowsing.googleapis.com/v4/fullHashes:find?$ct=application/x-protobuf&key=%GOOGLE_SAFEBR
    Source: firefox.exe, 0000000E.00000003.1611632931.0000011764055000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://safebrowsing.googleapis.com/v4/fullHashes:find?$ct=application/x-protobuf&key=AIzaSyC7jsptDS
    Source: firefox.exe, 00000010.00000002.2623815349.000001E59F100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2622424834.000001BBBBB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2623663375.000001FF30950000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://safebrowsing.googleapis.com/v4/threatHits?$ct=application/x-protobuf&key=%GOOGLE_SAFEBROWSIN
    Source: firefox.exe, 00000010.00000002.2623815349.000001E59F100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2622424834.000001BBBBB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2623663375.000001FF30950000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://safebrowsing.googleapis.com/v4/threatListUpdates:fetch?$ct=application/x-protobuf&key=%GOOGL
    Source: firefox.exe, 0000000E.00000003.1611632931.0000011764055000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://safebrowsing.googleapis.com/v4/threatListUpdates:fetch?$ct=application/x-protobuf&key=AIzaSy
    Source: firefox.exe, 00000010.00000002.2623815349.000001E59F100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2622424834.000001BBBBB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2623663375.000001FF30950000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://sb-ssl.google.com/safebrowsing/clientreport/download?key=%GOOGLE_SAFEBROWSING_API_KEY%
    Source: firefox.exe, 0000000E.00000003.1597430981.0000011757EBA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://screenshots.firefox.com
    Source: firefox.exe, 0000000E.00000003.1418222719.000001175B700000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1596442007.0000011758B55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://screenshots.firefox.com/
    Source: firefox.exe, 0000000E.00000003.1537614959.000001175DB27000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152
    Source: firefox.exe, 00000010.00000002.2623815349.000001E59F100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2622424834.000001BBBBB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2623663375.000001FF30950000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://services.addons.mozilla.org/api/v4/abuse/report/addon/
    Source: firefox.exe, 00000010.00000002.2623815349.000001E59F100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2622424834.000001BBBBB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2623663375.000001FF30950000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://services.addons.mozilla.org/api/v4/addons/addon/
    Source: firefox.exe, 00000010.00000002.2623815349.000001E59F100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2622424834.000001BBBBB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2623663375.000001FF30950000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://services.addons.mozilla.org/api/v4/addons/language-tools/?app=firefox&type=language&appversi
    Source: firefox.exe, 00000010.00000002.2623815349.000001E59F100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2622424834.000001BBBBB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2623663375.000001FF30950000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%
    Source: firefox.exe, 00000010.00000002.2623815349.000001E59F100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2622424834.000001BBBBB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2623663375.000001FF30950000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://services.addons.mozilla.org/api/v4/discovery/?lang=%LOCALE%&edition=%DISTRIBUTION%
    Source: firefox.exe, 00000010.00000002.2623815349.000001E59F100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2622424834.000001BBBBB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2623663375.000001FF30950000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%
    Source: firefox.exe, 0000000E.00000003.1576818484.000001176413A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://shavar.services.mozilla.com/
    Source: firefox.exe, 00000010.00000002.2623815349.000001E59F100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2622424834.000001BBBBB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2623663375.000001FF30950000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://shavar.services.mozilla.com/downloads?client=SAFEBROWSING_ID&appver=%MAJOR_VERSION%&pver=2.2
    Source: firefox.exe, 0000000E.00000003.1590457510.000001175D1A5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://shavar.services.mozilla.com/downloads?client=navclient-auto-ffox&appver=118.0&pver=2.2
    Source: firefox.exe, 00000010.00000002.2623815349.000001E59F100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2622424834.000001BBBBB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2623663375.000001FF30950000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://shavar.services.mozilla.com/gethash?client=SAFEBROWSING_ID&appver=%MAJOR_VERSION%&pver=2.2
    Source: firefox.exe, 0000000E.00000003.1592329803.000001175C2F6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1466939019.000001175DAA5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://smartblock.firefox.etp/facebook.svg
    Source: firefox.exe, 0000000E.00000003.1592329803.000001175C2F6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1466939019.000001175DAA5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://smartblock.firefox.etp/play.svg
    Source: firefox.exe, 00000010.00000002.2623815349.000001E59F100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2622424834.000001BBBBB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2623663375.000001FF30950000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://snippets.cdn.mozilla.net/%STARTPAGE_VERSION%/%NAME%/%VERSION%/%APPBUILDID%/%BUILD_TARGET%/%L
    Source: firefox.exe, 0000000E.00000003.1595767713.00000117642D2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1576437693.00000117642D2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1609069790.00000117642E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1466359594.00000117642D0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://spocs.getpocket.com
    Source: firefox.exe, 0000000E.00000003.1554648937.000001175E299000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1623471754.000001175F75A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1442398415.000001175F75A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1607070018.0000011765ED6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2618028535.000001BBBB612000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.2618073891.000001FF30713000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://spocs.getpocket.com/
    Source: firefox.exe, 0000000E.00000003.1554648937.000001175E299000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1597430981.0000011757ED8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1589292006.000001175D649000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://spocs.getpocket.com/spocs
    Source: firefox.exe, 0000000E.00000003.1623268141.0000011764247000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1609670342.0000011764244000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://spocs.getpocket.com/spocs#
    Source: firefox.exe, 0000000E.00000003.1623268141.0000011764247000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1609670342.0000011764244000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://spocs.getpocket.com/spocs#l
    Source: firefox.exe, 0000000E.00000003.1612137830.000001175F4BD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1623471754.000001175F75A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1442398415.000001175F75A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2618028535.000001BBBB6B8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.2618073891.000001FF307F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://spocs.getpocket.com/user
    Source: firefox.exe, 0000000E.00000003.1616745609.000001175DCB8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1586858972.000001175DCAE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1590850308.000001175DCAE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1556297977.000001175DCAE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1466939019.000001175DAA5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://static.adsafeprotected.com/firefox-etp-js
    Source: firefox.exe, 0000000E.00000003.1616745609.000001175DCB8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1586858972.000001175DCAE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1590850308.000001175DCAE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1556297977.000001175DCAE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1466939019.000001175DAA5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://static.adsafeprotected.com/firefox-etp-pixel
    Source: firefox.exe, 0000000E.00000003.1591838828.000001175C5D0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1595323217.0000011759EF6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org
    Source: firefox.exe, 00000010.00000002.2623815349.000001E59F100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2622424834.000001BBBBB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2623663375.000001FF30950000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/
    Source: firefox.exe, 00000010.00000002.2623815349.000001E59F100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2622424834.000001BBBBB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2623663375.000001FF30950000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report
    Source: firefox.exe, 00000010.00000002.2623815349.000001E59F100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2622424834.000001BBBBB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2623663375.000001FF30950000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cryptominers-report
    Source: firefox.exe, 00000010.00000002.2623815349.000001E59F100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2622424834.000001BBBBB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2623663375.000001FF30950000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report
    Source: firefox.exe, 00000010.00000002.2623815349.000001E59F100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2622424834.000001BBBBB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2623663375.000001FF30950000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/firefox-relay-integration
    Source: firefox.exe, 00000010.00000002.2623815349.000001E59F100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2622424834.000001BBBBB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2623663375.000001FF30950000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report
    Source: firefox.exe, 00000010.00000002.2623815349.000001E59F100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2622424834.000001BBBBB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2623663375.000001FF30950000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/search-engine-removal
    Source: firefox.exe, 00000010.00000002.2623815349.000001E59F100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2622424834.000001BBBBB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2623663375.000001FF30950000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab
    Source: firefox.exe, 00000010.00000002.2623815349.000001E59F100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2622424834.000001BBBBB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2623663375.000001FF30950000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield
    Source: firefox.exe, 00000010.00000002.2623815349.000001E59F100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2622424834.000001BBBBB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2623663375.000001FF30950000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report
    Source: firefox.exe, 00000010.00000002.2623815349.000001E59F100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2622424834.000001BBBBB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2623663375.000001FF30950000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/tracking-content-report
    Source: firefox.exe, 0000000E.00000003.1556213710.000001175DCE2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1606261686.00000117679DF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1615352453.000001175E287000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1584241626.000001175DCF4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1616512559.000001175DCF9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1547197439.00000117679DB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/1/firefox/118.0.1/WINNT/en-US/
    Source: firefox.exe, 0000000E.00000003.1576772167.000001176429A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/1/firefox/118.0.1/WINNT/en-US/firefox-relay-integration
    Source: firefox.exe, 0000000E.00000003.1466939019.000001175DABB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1584567551.000001175DA72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2623815349.000001E59F100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2622424834.000001BBBBB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2623663375.000001FF30950000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/captive-portal
    Source: firefox.exe, 0000000E.00000003.1547197439.00000117679BF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
    Source: firefox.exe, 0000000E.00000003.1517054241.000001175E7B0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings
    Source: firefox.exe, 0000000E.00000003.1578992514.000001175F18F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1612969633.000001175F198000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2
    Source: firefox.exe, 0000000E.00000003.1547197439.00000117679BF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.GNzbMA16ssY5
    Source: firefox.exe, 0000000E.00000003.1519636785.000001176433A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://tc39.github.io/ecma262/#sec-typeof-operator
    Source: firefox.exe, 00000010.00000002.2623815349.000001E59F100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2622424834.000001BBBBB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2623663375.000001FF30950000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://token.services.mozilla.com/1.0/sync/1.5
    Source: firefox.exe, 0000000E.00000003.1574438687.0000011767E0C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://tools.ietf.org/html/draft-ietf-httpbis-encryption-encoding-02#section-2
    Source: firefox.exe, 0000000E.00000003.1574438687.0000011767E08000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1574438687.0000011767E0C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://tools.ietf.org/html/draft-ietf-httpbis-encryption-encoding-02#section-3.1
    Source: firefox.exe, 0000000E.00000003.1574438687.0000011767E08000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1574438687.0000011767E0C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://tools.ietf.org/html/draft-ietf-httpbis-encryption-encoding-02#section-4
    Source: firefox.exe, 0000000E.00000003.1574438687.0000011767E08000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://tools.ietf.org/html/rfc7515#appendix-C)
    Source: firefox.exe, 00000010.00000002.2623815349.000001E59F100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2622424834.000001BBBBB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2623663375.000001FF30950000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://topsites.services.mozilla.com/cid/
    Source: firefox.exe, 00000010.00000002.2623815349.000001E59F100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2622424834.000001BBBBB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2623663375.000001FF30950000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://tracking-protection-issues.herokuapp.com/new
    Source: firefox.exe, 0000000E.00000003.1595323217.0000011759EF6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://truecolors.firefox.com
    Source: firefox.exe, 0000000E.00000003.1571961254.0000011768299000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1590198631.000001175D317000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://twitter.com/
    Source: firefox.exe, 00000010.00000002.2623815349.000001E59F100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2622424834.000001BBBBB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2623663375.000001FF30950000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM
    Source: firefox.exe, 00000010.00000002.2623815349.000001E59F100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2622424834.000001BBBBB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2623663375.000001FF30950000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID
    Source: firefox.exe, 0000000E.00000003.1615545224.000001175E052000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://vk.com/
    Source: firefox.exe, 00000010.00000002.2623815349.000001E59F100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2622424834.000001BBBBB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2623663375.000001FF30950000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://vpn.mozilla.org/?utm_source=firefox-browser&utm_medium=firefox-%CHANNEL%-browser&utm_campaig
    Source: firefox.exe, 00000013.00000002.2623663375.000001FF30950000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://vpn.mozilla.org/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_campaign=about-pr
    Source: firefox.exe, 0000000E.00000003.1583421733.0000011764AFC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1576140732.0000011764AFC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1601512028.0000011764AFD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://watch.sling.com/
    Source: firefox.exe, 00000010.00000002.2623815349.000001E59F100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2622424834.000001BBBBB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2623663375.000001FF30950000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://webcompat.com/issues/new
    Source: firefox.exe, 00000010.00000002.2623815349.000001E59F100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2622424834.000001BBBBB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2623663375.000001FF30950000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://webextensions.settings.services.mozilla.com/v1
    Source: firefox.exe, 0000000E.00000003.1623471754.000001175F75A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1442398415.000001175F75A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://webpack.js.org/concepts/mode/)
    Source: firefox.exe, 0000000E.00000003.1555951897.000001175E17C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1578731608.000001175F4F9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1623730487.000001175F4F9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1615545224.000001175E052000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://weibo.com/
    Source: firefox.exe, 0000000E.00000003.1519636785.000001176433A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://wicg.github.io/construct-stylesheets/#using-constructed-stylesheets).
    Source: firefox.exe, 0000000E.00000003.1555951897.000001175E17C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1445367988.000001175CF64000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1615545224.000001175E052000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.aliexpress.com/
    Source: firefox.exe, 0000000E.00000003.1555951897.000001175E17C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.ca/
    Source: firefox.exe, 0000000E.00000003.1555951897.000001175E17C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1445367988.000001175CF64000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.co.uk/
    Source: firefox.exe, 0000000E.00000003.1445367988.000001175CF64000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.co.uk/CSV
    Source: firefox.exe, 0000000E.00000003.1571961254.0000011768299000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1590198631.000001175D317000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.com/
    Source: firefox.exe, 00000010.00000002.2620621261.000001E59F0CB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2618028535.000001BBBB6EA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.2623975465.000001FF30A03000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.14.drString found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_e149f5d53c9263616797a13067f7a114fa287709b159d0a5
    Source: firefox.exe, 0000000E.00000003.1536625545.000001175DDF8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1418857928.000001175B91B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1510241422.000001175DDF8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1583421733.0000011764AF0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1472261839.000001175DDF8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1419733855.000001175B97C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1419583867.000001175B967000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1475413886.000001175DDF8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1419100634.000001175B934000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1419440141.000001175B94D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1418222719.000001175B700000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1576140732.0000011764AF0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.com/exec/obidos/external-search/
    Source: firefox.exe, 0000000E.00000003.1466359594.00000117642D0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.com/exec/obidos/external-search/?field-keywords=&ie=UTF-8&mode=blended&tag=mozill
    Source: firefox.exe, 0000000E.00000003.1555951897.000001175E17C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.de/
    Source: firefox.exe, 0000000E.00000003.1555951897.000001175E17C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.fr/
    Source: firefox.exe, 0000000E.00000003.1555951897.000001175E17C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1615545224.000001175E052000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.avito.ru/
    Source: firefox.exe, 0000000E.00000003.1590198631.000001175D317000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1615545224.000001175E052000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.baidu.com/
    Source: firefox.exe, 0000000E.00000003.1555951897.000001175E17C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.bbc.co.uk/
    Source: firefox.exe, 0000000E.00000003.1590198631.000001175D317000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1615545224.000001175E052000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ctrip.com/
    Source: firefox.exe, 0000000E.00000003.1491804014.000001175B550000.00000004.00000020.00020000.00000000.sdmp, gmpopenh264.dll.tmp.14.drString found in binary or memory: https://www.digicert.com/CPS0
    Source: firefox.exe, 0000000E.00000003.1590198631.000001175D317000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ebay.co.uk/
    Source: firefox.exe, 0000000E.00000003.1555951897.000001175E17C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ebay.de/
    Source: firefox.exe, 0000000E.00000003.1590198631.000001175D317000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/
    Source: firefox.exe, 0000000E.00000003.1610810355.000001176411C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/complete/
    Source: firefox.exe, 0000000E.00000003.1441145375.0000011764480000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1440488682.000001176438C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1445367988.000001175CF64000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/complete/search
    Source: firefox.exe, 0000000E.00000003.1445367988.000001175CF64000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/complete/search613d1391-4be5-4296-80e2-cfb740de6607cb8e7210-9f0b-48fa-8708-b9
    Source: firefox.exe, 0000000E.00000003.1418857928.000001175B91B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1419733855.000001175B97C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1419583867.000001175B967000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1419100634.000001175B934000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1419440141.000001175B94D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1418222719.000001175B700000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/complete/search?client=firefox&q=
    Source: firefox.exe, 0000000E.00000003.1536625545.000001175DDF8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1418857928.000001175B91B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1510241422.000001175DDF8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1472261839.000001175DDF8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1419733855.000001175B97C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1616745609.000001175DCB8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1419583867.000001175B967000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1475413886.000001175DDF8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1586858972.000001175DCAE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1419100634.000001175B934000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1586858972.000001175DCCD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1419440141.000001175B94D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1590850308.000001175DCCD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1418222719.000001175B700000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1590850308.000001175DCAE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1556297977.000001175DCCD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1556297977.000001175DCAE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1616559452.000001175DCD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/search
    Source: firefox.exe, 0000000E.00000003.1581302819.000001175DAE7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/search?client=firefox-b-d&q=
    Source: firefox.exe, 00000010.00000002.2623815349.000001E59F100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2622424834.000001BBBBB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2623663375.000001FF30950000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.googleapis.com/geolocation/v1/geolocate?key=%GOOGLE_LOCATION_SERVICE_API_KEY%
    Source: firefox.exe, 0000000E.00000003.1472700511.000001175D0A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.hulu.com/watch/
    Source: firefox.exe, 0000000E.00000003.1555951897.000001175E17C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1615545224.000001175E052000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ifeng.com/
    Source: firefox.exe, 0000000E.00000003.1472700511.000001175D0A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.instagram.com/
    Source: firefox.exe, 00000010.00000002.2620621261.000001E59F0CB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2618028535.000001BBBB6EA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.2623975465.000001FF30A03000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.14.drString found in binary or memory: https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&u
    Source: firefox.exe, 0000000E.00000003.1555951897.000001175E17C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1615545224.000001175E052000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.iqiyi.com/
    Source: firefox.exe, 0000000E.00000003.1555951897.000001175E17C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1445367988.000001175CF64000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.leboncoin.fr/
    Source: firefox.exe, 0000000E.00000003.1445367988.000001175CF64000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.leboncoin.fr/SSF_updateSessionStoreForStoragefeatureUpdate:cm-csv-importwww.google.com
    Source: firefox.exe, 0000000E.00000003.1616745609.000001175DCB8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1586858972.000001175DCAE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1590850308.000001175DCAE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1556297977.000001175DCAE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mobilesuica.com/
    Source: firefox.exe, 0000000E.00000003.1597430981.0000011757EFA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1601574102.00000117645AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org
    Source: firefox.exe, 00000010.00000002.2623815349.000001E59F100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2622424834.000001BBBBB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2623663375.000001FF30950000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/%LOCALE%/about/legal/terms/subscription-services/
    Source: firefox.exe, 00000013.00000002.2623663375.000001FF30950000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/%VERSION%/releasenotes/?utm_source=firefox-browser&utm_medi
    Source: firefox.exe, 00000010.00000002.2623815349.000001E59F100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2622424834.000001BBBBB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2623663375.000001FF30950000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/%VERSION%/tour/
    Source: firefox.exe, 00000010.00000002.2623815349.000001E59F100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2622424834.000001BBBBB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2623663375.000001FF30950000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/geolocation/
    Source: firefox.exe, 00000010.00000002.2623815349.000001E59F100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2622424834.000001BBBBB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2623663375.000001FF30950000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/new?reason=manual-update
    Source: firefox.exe, 00000010.00000002.2623815349.000001E59F100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2622424834.000001BBBBB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2623663375.000001FF30950000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/notes
    Source: firefox.exe, 00000010.00000002.2623815349.000001E59F100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2622424834.000001BBBBB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2623663375.000001FF30950000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/set-as-default/thanks/
    Source: firefox.exe, 00000010.00000002.2623815349.000001E59F100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2622424834.000001BBBBB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2623663375.000001FF30950000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/xr/
    Source: firefox.exe, 00000010.00000002.2623815349.000001E59F100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2622424834.000001BBBBB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2623663375.000001FF30950000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/%LOCALE%/privacy/subscription-services/
    Source: firefox.exe, 0000000E.00000003.1547197439.00000117679BF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.HCe2hc5EPKfq
    Source: firefox.exe, 0000000E.00000003.1446025262.000001175C952000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1448460001.000001175C963000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/legal/terms/mozilla/
    Source: firefox.exe, 0000000E.00000003.1547197439.00000117679BF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.oX6J3D7V9Efv
    Source: firefox.exe, 0000000E.00000003.1576772167.000001176429A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/about/legal/terms/subscription-services/
    Source: firefox.exe, 0000000E.00000003.1600957216.00000117676F6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1547605819.00000117676F6000.00000004.00000800.00020000.00000000.sdmp, targeting.snapshot.json.tmp.14.drString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
    Source: firefox.exe, 0000000E.00000003.1629762691.00000117645B2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1547197439.00000117679BF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1622607328.00000117645B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
    Source: firefox.exe, 0000000E.00000003.1576772167.000001176429A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/subscription-services/
    Source: firefox.exe, 0000000E.00000003.1547197439.00000117679BF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
    Source: firefox.exe, 00000010.00000002.2623815349.000001E59F100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2622424834.000001BBBBB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2623663375.000001FF30950000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/android/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_c
    Source: firefox.exe, 00000010.00000002.2623815349.000001E59F100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2622424834.000001BBBBB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2623663375.000001FF30950000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/ios/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_campa
    Source: firefox.exe, 00000010.00000002.2623815349.000001E59F100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2622424834.000001BBBBB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2623663375.000001FF30950000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/legal/privacy/firefox.html
    Source: firefox.exe, 00000010.00000002.2623815349.000001E59F100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2622424834.000001BBBBB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2623663375.000001FF30950000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/legal/privacy/firefox.html#crash-reporter
    Source: firefox.exe, 00000010.00000002.2623815349.000001E59F100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2622424834.000001BBBBB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2623663375.000001FF30950000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/legal/privacy/firefox.html#health-report
    Source: firefox.exe, 0000000E.00000003.1629762691.00000117645B2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1547197439.00000117679BF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1622607328.00000117645B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
    Source: firefox.exe, 00000013.00000002.2618073891.000001FF307F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/
    Source: firefox.exe, 0000000E.00000003.1603762860.0000011767F94000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/#suggest-relevant-content
    Source: firefox.exe, 0000000E.00000003.1623268141.0000011764247000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1609670342.0000011764244000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/#suggest-relevant-contentP
    Source: firefox.exe, 00000010.00000002.2623815349.000001E59F100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2622424834.000001BBBBB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2623663375.000001FF30950000.00000002.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_c
    Source: firefox.exe, 0000000E.00000003.1623268141.0000011764247000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1609670342.0000011764244000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/V
    Source: firefox.exe, 0000000E.00000003.1547197439.00000117679BF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
    Source: firefox.exe, 0000000E.00000003.1550108167.0000011764090000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1610952868.0000011764090000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1577147529.0000011764090000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com
    Source: firefox.exe, 0000000E.00000003.1555951897.000001175E17C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1578731608.000001175F4F9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1623730487.000001175F4F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.olx.pl/
    Source: firefox.exe, 0000000E.00000003.1571961254.0000011768299000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.reddit.com/
    Source: firefox.exe, 0000000E.00000003.1583421733.0000011764AFC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1576140732.0000011764AFC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1601512028.0000011764AFD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.sling.com/
    Source: firefox.exe, 0000000E.00000003.1544611714.0000011767EAC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1573708146.0000011767EAC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1621978962.0000011767EAC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.tiktok.com/
    Source: firefox.exe, 0000000E.00000003.1555951897.000001175E17C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.wykop.pl/
    Source: firefox.exe, 0000000E.00000003.1615545224.000001175E052000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2618028535.000001BBBB603000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.2618073891.000001FF3070C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/
    Source: firefox.exe, 0000000E.00000003.1578731608.000001175F4F9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1623730487.000001175F4F9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1615545224.000001175E052000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.zhihu.com/
    Source: firefox.exe, 0000000E.00000003.1623973141.000001175E625000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1588143532.000001175D883000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1625335396.000001175D883000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://youtube.com
    Source: firefox.exe, 0000000E.00000003.1550108167.000001176406F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://youtube.com/
    Source: recovery.jsonlz4.tmp.14.drString found in binary or memory: https://youtube.com/account?=
    Source: firefox.exe, 00000013.00000002.2622820325.000001FF30820000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/chal
    Source: firefox.exe, 0000000E.00000003.1612338566.000001175F49D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1552211983.000001175F280000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2618433158.000001E59ED8A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2617919005.000001E59ED54000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2617218674.000001BBBB4C0000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2622159422.000001BBBB704000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2617218674.000001BBBB4CA000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.2622820325.000001FF30824000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.2616580475.000001FF3047A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.2616580475.000001FF30470000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd
    Source: firefox.exe, 00000010.00000002.2618433158.000001E59ED80000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd)
    Source: firefox.exe, 0000000C.00000002.1401417832.000002646DEF0000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000D.00000002.1413636186.000001906A8F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd--no-default-browser
    Source: firefox.exe, 00000010.00000002.2618433158.000001E59ED8A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd=
    Source: firefox.exe, 00000010.00000002.2618433158.000001E59ED80000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2617919005.000001E59ED54000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2617218674.000001BBBB4C0000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2622159422.000001BBBB704000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.2622820325.000001FF30824000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.2616580475.000001FF30470000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwdMOZ_CRASHREPORTER_RE
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49820
    Source: unknownNetwork traffic detected: HTTP traffic on port 49842 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49982
    Source: unknownNetwork traffic detected: HTTP traffic on port 49836 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49766 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49762 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49833 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49776 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
    Source: unknownNetwork traffic detected: HTTP traffic on port 49753 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49841 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49776
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49775
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49774
    Source: unknownNetwork traffic detected: HTTP traffic on port 49820 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49767 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49749 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49767
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49844
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49766
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49843
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49765
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49842
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49764
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49841
    Source: unknownNetwork traffic detected: HTTP traffic on port 49838 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49762
    Source: unknownNetwork traffic detected: HTTP traffic on port 49844 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49883
    Source: unknownNetwork traffic detected: HTTP traffic on port 49834 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49764 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49793 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49914 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49982 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49831 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49883 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49838
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49914
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49836
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49913
    Source: unknownNetwork traffic detected: HTTP traffic on port 49774 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49834
    Source: unknownNetwork traffic detected: HTTP traffic on port 49755 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49833
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49755
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49832
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49831
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49753
    Source: unknownNetwork traffic detected: HTTP traffic on port 49843 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49793
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49792
    Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49765 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49913 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49832 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49775 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49749
    Source: unknownNetwork traffic detected: HTTP traffic on port 49792 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
    Source: unknownHTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.9:49743 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.9:49749 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.9:49764 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.9:49774 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.9:49776 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.9:49831 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.9:49833 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 151.101.193.91:443 -> 192.168.2.9:49834 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.9:49838 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.9:49842 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.9:49841 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.9:49843 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.9:49844 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.9:49913 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.9:49914 version: TLS 1.2
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeCode function: 0_2_00BFEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00BFEAFF
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeCode function: 0_2_00BFED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00BFED6A
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeCode function: 0_2_00BFEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00BFEAFF
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeCode function: 0_2_00BEAA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,0_2_00BEAA57
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeCode function: 0_2_00C19576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_00C19576

    System Summary

    barindex
    Binary is likely a compiled AutoIt script file
    Source: kjDPynh9vQ.exeString found in binary or memory: This is a third-party compiled AutoIt script.
    Source: kjDPynh9vQ.exe, 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_b8d60400-9
    Source: kjDPynh9vQ.exe, 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_ead5292f-5
    Source: kjDPynh9vQ.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_62e0206f-4
    Source: kjDPynh9vQ.exeString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_3005ee74-6
    Source: C:\Program Files\Mozilla Firefox\firefox.exeCode function: 18_2_000001BBBBBC63F7 NtQuerySystemInformation,18_2_000001BBBBBC63F7
    Source: C:\Program Files\Mozilla Firefox\firefox.exeCode function: 18_2_000001BBBBBE5832 NtQuerySystemInformation,18_2_000001BBBBBE5832
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeCode function: 0_2_00BED5EB: CreateFileW,DeviceIoControl,CloseHandle,0_2_00BED5EB
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeCode function: 0_2_00BE1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00BE1201
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeCode function: 0_2_00BEE8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_00BEE8F6
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeCode function: 0_2_00B880600_2_00B88060
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeCode function: 0_2_00BF20460_2_00BF2046
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeCode function: 0_2_00BE82980_2_00BE8298
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeCode function: 0_2_00BBE4FF0_2_00BBE4FF
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeCode function: 0_2_00BB676B0_2_00BB676B
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeCode function: 0_2_00C148730_2_00C14873
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeCode function: 0_2_00BACAA00_2_00BACAA0
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeCode function: 0_2_00B8CAF00_2_00B8CAF0
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeCode function: 0_2_00B9CC390_2_00B9CC39
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeCode function: 0_2_00BB6DD90_2_00BB6DD9
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeCode function: 0_2_00B891C00_2_00B891C0
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeCode function: 0_2_00B9B1190_2_00B9B119
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeCode function: 0_2_00BA13940_2_00BA1394
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeCode function: 0_2_00BA17060_2_00BA1706
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeCode function: 0_2_00BA781B0_2_00BA781B
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeCode function: 0_2_00BA19B00_2_00BA19B0
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeCode function: 0_2_00B879200_2_00B87920
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeCode function: 0_2_00B9997D0_2_00B9997D
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeCode function: 0_2_00BA7A4A0_2_00BA7A4A
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeCode function: 0_2_00BA7CA70_2_00BA7CA7
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeCode function: 0_2_00BA1C770_2_00BA1C77
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeCode function: 0_2_00BB9EEE0_2_00BB9EEE
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeCode function: 0_2_00C0BE440_2_00C0BE44
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeCode function: 0_2_00BA1F320_2_00BA1F32
    Source: C:\Program Files\Mozilla Firefox\firefox.exeCode function: 18_2_000001BBBBBC63F718_2_000001BBBBBC63F7
    Source: C:\Program Files\Mozilla Firefox\firefox.exeCode function: 18_2_000001BBBBBE583218_2_000001BBBBBE5832
    Source: C:\Program Files\Mozilla Firefox\firefox.exeCode function: 18_2_000001BBBBBE587218_2_000001BBBBBE5872
    Source: C:\Program Files\Mozilla Firefox\firefox.exeCode function: 18_2_000001BBBBBE5F5C18_2_000001BBBBBE5F5C
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeCode function: String function: 00B9F9F2 appears 40 times
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeCode function: String function: 00B89CB3 appears 31 times
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeCode function: String function: 00BA0A30 appears 46 times
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeCode function: String function: 00BA4963 appears 31 times
    Source: kjDPynh9vQ.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
    Source: classification engineClassification label: mal80.troj.evad.winEXE@34/34@66/12
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeCode function: 0_2_00BF37B5 GetLastError,FormatMessageW,0_2_00BF37B5
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeCode function: 0_2_00BE10BF AdjustTokenPrivileges,CloseHandle,0_2_00BE10BF
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeCode function: 0_2_00BE16C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_00BE16C3
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeCode function: 0_2_00BF51CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_00BF51CD
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeCode function: 0_2_00BED4DC CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00BED4DC
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeCode function: 0_2_00BF648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,0_2_00BF648E
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeCode function: 0_2_00B842A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00B842A2
    Source: C:\Program Files\Mozilla Firefox\firefox.exeFile created: C:\Users\user\AppData\Local\Mozilla\Firefox\SkeletonUILock-c388d246Jump to behavior
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7716:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7772:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7828:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7620:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7892:120:WilError_03
    Source: C:\Program Files\Mozilla Firefox\firefox.exeFile created: C:\Users\user\AppData\Local\Temp\firefoxJump to behavior
    Source: kjDPynh9vQ.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
    Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
    Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
    Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
    Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
    Source: C:\Program Files\Mozilla Firefox\firefox.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: firefox.exe, 0000000E.00000003.1600494524.0000011767983000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1547197439.00000117679DB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SELECT * FROM events WHERE timestamp BETWEEN date(:dateFrom) AND date(:dateTo);
    Source: firefox.exe, 0000000E.00000003.1600494524.0000011767983000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE events (id INTEGER PRIMARY KEY, type INTEGER NOT NULL, count INTEGER NOT NULL, timestamp DATE );
    Source: firefox.exe, 0000000E.00000003.1600494524.0000011767983000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: INSERT INTO events (type, count, timestamp) VALUES (:type, 1, date(:date));
    Source: firefox.exe, 0000000E.00000003.1600494524.0000011767983000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;
    Source: firefox.exe, 0000000E.00000003.1600494524.0000011767983000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;Fy6
    Source: firefox.exe, 0000000E.00000003.1600494524.0000011767983000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: UPDATE events SET count = count + 1 WHERE id = :id;-
    Source: firefox.exe, 0000000E.00000003.1600494524.0000011767983000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SELECT sum(count) FROM events;9'
    Source: firefox.exe, 0000000E.00000003.1600494524.0000011767983000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SELECT sum(count) FROM events;9
    Source: firefox.exe, 0000000E.00000003.1600494524.0000011767983000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SELECT * FROM events WHERE type = :type AND timestamp = date(:date);
    Source: kjDPynh9vQ.exeVirustotal: Detection: 31%
    Source: kjDPynh9vQ.exeReversingLabs: Detection: 36%
    Source: unknownProcess created: C:\Users\user\Desktop\kjDPynh9vQ.exe "C:\Users\user\Desktop\kjDPynh9vQ.exe"
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
    Source: C:\Windows\SysWOW64\taskkill.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
    Source: C:\Windows\SysWOW64\taskkill.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
    Source: C:\Windows\SysWOW64\taskkill.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
    Source: C:\Windows\SysWOW64\taskkill.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
    Source: C:\Windows\SysWOW64\taskkill.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
    Source: unknownProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
    Source: C:\Program Files\Mozilla Firefox\firefox.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
    Source: C:\Program Files\Mozilla Firefox\firefox.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2296 -parentBuildID 20230927232528 -prefsHandle 2228 -prefMapHandle 2208 -prefsLen 25315 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c2fc85f1-1a2d-4561-b18f-bae297b79c3b} 8000 "\\.\pipe\gecko-crash-server-pipe.8000" 1174be6e310 socket
    Source: C:\Program Files\Mozilla Firefox\firefox.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3808 -parentBuildID 20230927232528 -prefsHandle 3792 -prefMapHandle 3840 -prefsLen 26330 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c5bf1d68-33a4-4d18-a21d-584b68b3679b} 8000 "\\.\pipe\gecko-crash-server-pipe.8000" 1175beefd10 rdd
    Source: C:\Program Files\Mozilla Firefox\firefox.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4556 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 3768 -prefMapHandle 4508 -prefsLen 33141 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a151f8c8-1b7f-4b6c-8e13-c9b62c2c0a41} 8000 "\\.\pipe\gecko-crash-server-pipe.8000" 1176405a510 utility
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /TJump to behavior
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /TJump to behavior
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /TJump to behavior
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /TJump to behavior
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /TJump to behavior
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blockingJump to behavior
    Source: C:\Program Files\Mozilla Firefox\firefox.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blockingJump to behavior
    Source: C:\Program Files\Mozilla Firefox\firefox.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2296 -parentBuildID 20230927232528 -prefsHandle 2228 -prefMapHandle 2208 -prefsLen 25315 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c2fc85f1-1a2d-4561-b18f-bae297b79c3b} 8000 "\\.\pipe\gecko-crash-server-pipe.8000" 1174be6e310 socketJump to behavior
    Source: C:\Program Files\Mozilla Firefox\firefox.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Mozilla Firefox\firefox.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Mozilla Firefox\firefox.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3808 -parentBuildID 20230927232528 -prefsHandle 3792 -prefMapHandle 3840 -prefsLen 26330 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c5bf1d68-33a4-4d18-a21d-584b68b3679b} 8000 "\\.\pipe\gecko-crash-server-pipe.8000" 1175beefd10 rddJump to behavior
    Source: C:\Program Files\Mozilla Firefox\firefox.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Mozilla Firefox\firefox.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4556 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 3768 -prefMapHandle 4508 -prefsLen 33141 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a151f8c8-1b7f-4b6c-8e13-c9b62c2c0a41} 8000 "\\.\pipe\gecko-crash-server-pipe.8000" 1176405a510 utilityJump to behavior
    Source: C:\Program Files\Mozilla Firefox\firefox.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Mozilla Firefox\firefox.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Mozilla Firefox\firefox.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Mozilla Firefox\firefox.exeProcess created: unknown unknownJump to behavior
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeSection loaded: wsock32.dllJump to behavior
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeSection loaded: version.dllJump to behavior
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeSection loaded: winmm.dllJump to behavior
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeSection loaded: wininet.dllJump to behavior
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeSection loaded: napinsp.dllJump to behavior
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeSection loaded: pnrpnsp.dllJump to behavior
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeSection loaded: wshbth.dllJump to behavior
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeSection loaded: nlaapi.dllJump to behavior
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeSection loaded: winrnr.dllJump to behavior
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeSection loaded: fwpuclnt.dllJump to behavior
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeSection loaded: rasadhlp.dllJump to behavior
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeSection loaded: napinsp.dllJump to behavior
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeSection loaded: pnrpnsp.dllJump to behavior
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeSection loaded: wshbth.dllJump to behavior
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeSection loaded: nlaapi.dllJump to behavior
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeSection loaded: winrnr.dllJump to behavior
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeSection loaded: fwpuclnt.dllJump to behavior
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeSection loaded: napinsp.dllJump to behavior
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeSection loaded: pnrpnsp.dllJump to behavior
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeSection loaded: wshbth.dllJump to behavior
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeSection loaded: nlaapi.dllJump to behavior
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeSection loaded: winrnr.dllJump to behavior
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeSection loaded: fwpuclnt.dllJump to behavior
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeSection loaded: napinsp.dllJump to behavior
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeSection loaded: pnrpnsp.dllJump to behavior
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeSection loaded: wshbth.dllJump to behavior
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeSection loaded: nlaapi.dllJump to behavior
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeSection loaded: winrnr.dllJump to behavior
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeSection loaded: fwpuclnt.dllJump to behavior
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeSection loaded: napinsp.dllJump to behavior
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeSection loaded: pnrpnsp.dllJump to behavior
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeSection loaded: wshbth.dllJump to behavior
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeSection loaded: nlaapi.dllJump to behavior
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeSection loaded: winrnr.dllJump to behavior
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeSection loaded: fwpuclnt.dllJump to behavior
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeSection loaded: napinsp.dllJump to behavior
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeSection loaded: pnrpnsp.dllJump to behavior
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeSection loaded: wshbth.dllJump to behavior
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeSection loaded: nlaapi.dllJump to behavior
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeSection loaded: winrnr.dllJump to behavior
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeSection loaded: fwpuclnt.dllJump to behavior
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeSection loaded: napinsp.dllJump to behavior
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeSection loaded: pnrpnsp.dllJump to behavior
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeSection loaded: wshbth.dllJump to behavior
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeSection loaded: nlaapi.dllJump to behavior
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeSection loaded: winrnr.dllJump to behavior
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeSection loaded: fwpuclnt.dllJump to behavior
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeSection loaded: napinsp.dllJump to behavior
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeSection loaded: pnrpnsp.dllJump to behavior
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeSection loaded: wshbth.dllJump to behavior
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeSection loaded: nlaapi.dllJump to behavior
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeSection loaded: winrnr.dllJump to behavior
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeSection loaded: fwpuclnt.dllJump to behavior
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeSection loaded: napinsp.dllJump to behavior
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeSection loaded: pnrpnsp.dllJump to behavior
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeSection loaded: wshbth.dllJump to behavior
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeSection loaded: nlaapi.dllJump to behavior
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeSection loaded: winrnr.dllJump to behavior
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeSection loaded: fwpuclnt.dllJump to behavior
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeSection loaded: napinsp.dllJump to behavior
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeSection loaded: pnrpnsp.dllJump to behavior
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeSection loaded: wshbth.dllJump to behavior
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeSection loaded: nlaapi.dllJump to behavior
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeSection loaded: winrnr.dllJump to behavior
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeSection loaded: fwpuclnt.dllJump to behavior
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeSection loaded: napinsp.dllJump to behavior
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeSection loaded: pnrpnsp.dllJump to behavior
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeSection loaded: wshbth.dllJump to behavior
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeSection loaded: nlaapi.dllJump to behavior
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeSection loaded: winrnr.dllJump to behavior
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeSection loaded: fwpuclnt.dllJump to behavior
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeSection loaded: napinsp.dllJump to behavior
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeSection loaded: pnrpnsp.dllJump to behavior
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeSection loaded: wshbth.dllJump to behavior
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeSection loaded: nlaapi.dllJump to behavior
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeSection loaded: winrnr.dllJump to behavior
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeSection loaded: fwpuclnt.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: framedynos.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: dbghelp.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: wbemcomn.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: winsta.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: framedynos.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: dbghelp.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: wbemcomn.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: winsta.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: framedynos.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: dbghelp.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: wbemcomn.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: winsta.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: framedynos.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: dbghelp.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: wbemcomn.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: winsta.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: framedynos.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: dbghelp.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: wbemcomn.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: winsta.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: profapi.dllJump to behavior
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: kjDPynh9vQ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
    Source: kjDPynh9vQ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
    Source: kjDPynh9vQ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
    Source: kjDPynh9vQ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
    Source: kjDPynh9vQ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
    Source: kjDPynh9vQ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
    Source: kjDPynh9vQ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
    Source: Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdbV source: gmpopenh264.dll.tmp.14.dr
    Source: Binary string: wshbth.pdbGCTL source: firefox.exe, 0000000E.00000003.1510234892.000001175B5D7000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1510306330.000001175B5E4000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: NapiNSP.pdbUGP source: firefox.exe, 0000000E.00000003.1509601010.000001175B5DA000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1509425130.000001175B5D7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wshbth.pdb source: firefox.exe, 0000000E.00000003.1510234892.000001175B5D7000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1510306330.000001175B5E4000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: pnrpnsp.pdb source: firefox.exe, 0000000E.00000003.1509425130.000001175B588000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: NapiNSP.pdb source: firefox.exe, 0000000E.00000003.1509601010.000001175B5DA000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1509425130.000001175B5D7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: netprofm.pdb source: firefox.exe, 0000000E.00000003.1507481783.000001175B588000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdb source: gmpopenh264.dll.tmp.14.dr
    Source: Binary string: pnrpnsp.pdbUGP source: firefox.exe, 0000000E.00000003.1509425130.000001175B588000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: netprofm.pdbUGP source: firefox.exe, 0000000E.00000003.1507481783.000001175B588000.00000004.00000020.00020000.00000000.sdmp
    Source: kjDPynh9vQ.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
    Source: kjDPynh9vQ.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
    Source: kjDPynh9vQ.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
    Source: kjDPynh9vQ.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
    Source: kjDPynh9vQ.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeCode function: 0_2_00B842DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00B842DE
    Source: gmpopenh264.dll.tmp.14.drStatic PE information: section name: .rodata
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeCode function: 0_2_00BA0A76 push ecx; ret 0_2_00BA0A89
    Source: C:\Program Files\Mozilla Firefox\firefox.exeFile created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmpJump to dropped file
    Source: C:\Program Files\Mozilla Firefox\firefox.exeFile created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)Jump to dropped file
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeCode function: 0_2_00B9F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00B9F98E
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeCode function: 0_2_00C11C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00C11C41
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

    Malware Analysis System Evasion

    barindex
    Found API chain indicative of sandbox detection
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeSandbox detection routine: GetForegroundWindow, DecisionNode, Sleepgraph_0-98487
    Source: C:\Program Files\Mozilla Firefox\firefox.exeCode function: 18_2_000001BBBBBC63F7 rdtsc 18_2_000001BBBBBC63F7
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeAPI coverage: 4.0 %
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exe TID: 7560Thread sleep count: 112 > 30Jump to behavior
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exe TID: 7560Thread sleep count: 134 > 30Jump to behavior
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeCode function: 0_2_00BEDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,0_2_00BEDBBE
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeCode function: 0_2_00BBC2A2 FindFirstFileExW,0_2_00BBC2A2
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeCode function: 0_2_00BF68EE FindFirstFileW,FindClose,0_2_00BF68EE
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeCode function: 0_2_00BF698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,0_2_00BF698F
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeCode function: 0_2_00BED076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00BED076
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeCode function: 0_2_00BED3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00BED3A9
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeCode function: 0_2_00BF9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00BF9642
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeCode function: 0_2_00BF979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00BF979D
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeCode function: 0_2_00BF9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00BF9B2B
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeCode function: 0_2_00BF5C97 FindFirstFileW,FindNextFileW,FindClose,0_2_00BF5C97
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeCode function: 0_2_00B842DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00B842DE
    Source: kjDPynh9vQ.exe, 00000000.00000003.1448264939.00000000013EB000.00000004.00000020.00020000.00000000.sdmp, kjDPynh9vQ.exe, 00000000.00000003.1400086343.00000000013EB000.00000004.00000020.00020000.00000000.sdmp, kjDPynh9vQ.exe, 00000000.00000003.1440368038.00000000013EB000.00000004.00000020.00020000.00000000.sdmp, kjDPynh9vQ.exe, 00000000.00000003.1366764187.00000000013EA000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2618433158.000001E59ED8A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2623485471.000001BBBBC20000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2617218674.000001BBBB4CA000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.2616580475.000001FF3047A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
    Source: firefox.exe, 00000010.00000002.2624145491.000001E59F218000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW : 2 : 34 : 1 : 1 : 0x20026 : 0x8 : %SystemRoot%\system32\mswsock.dll : : 1234191b-4bf7-4ca7-86e0-dfd7c32b5445
    Source: firefox.exe, 00000013.00000002.2623431207.000001FF30850000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW!3
    Source: firefox.exe, 00000012.00000002.2623485471.000001BBBBC20000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllGD
    Source: firefox.exe, 00000010.00000002.2618433158.000001E59ED8A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW`
    Source: firefox.exe, 00000010.00000002.2625120261.000001E59F300000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2623485471.000001BBBBC20000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeProcess information queried: ProcessInformationJump to behavior
    Source: C:\Program Files\Mozilla Firefox\firefox.exeCode function: 18_2_000001BBBBBC63F7 rdtsc 18_2_000001BBBBBC63F7
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeCode function: 0_2_00BFEAA2 BlockInput,0_2_00BFEAA2
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeCode function: 0_2_00BB2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00BB2622
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeCode function: 0_2_00B842DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00B842DE
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeCode function: 0_2_00BA4CE8 mov eax, dword ptr fs:[00000030h]0_2_00BA4CE8
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeCode function: 0_2_00BE0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_00BE0B62
    Source: C:\Windows\SysWOW64\taskkill.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Windows\SysWOW64\taskkill.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeCode function: 0_2_00BB2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00BB2622
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeCode function: 0_2_00BA083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00BA083F
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeCode function: 0_2_00BA09D5 SetUnhandledExceptionFilter,0_2_00BA09D5
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeCode function: 0_2_00BA0C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00BA0C21
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeCode function: 0_2_00BE1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00BE1201
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeCode function: 0_2_00BC2BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00BC2BA5
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeCode function: 0_2_00BEB226 SendInput,keybd_event,0_2_00BEB226
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeCode function: 0_2_00C022DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,0_2_00C022DA
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /TJump to behavior
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /TJump to behavior
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /TJump to behavior
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /TJump to behavior
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /TJump to behavior
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeCode function: 0_2_00BE0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_00BE0B62
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeCode function: 0_2_00BE1663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00BE1663
    Source: kjDPynh9vQ.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
    Source: kjDPynh9vQ.exeBinary or memory string: Shell_TrayWnd
    Source: firefox.exe, 0000000E.00000003.1492632095.0000011768441000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: hSoftware\Policies\Microsoft\Windows\PersonalizationNoChangingStartMenuBackgroundPersonalColors_BackgroundWilStaging_02RtlDisownModuleHeapAllocationRtlQueryFeatureConfigurationRtlRegisterFeatureConfigurationChangeNotificationRtlSubscribeWnfStateChangeNotificationRtlDllShutdownInProgressntdll.dllNtQueryWnfStateDataLocal\SM0:%d:%d:%hs_p0Local\SessionImmersiveColorPreferenceBEGINTHMthmfile\Sessions\%d\Windows\ThemeSectionMessageWindowendthemewndThemeApiConnectionRequest\ThemeApiPortwinsta0SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\PersonalizeAppsUseLightThemeSystemUsesLightThemedefaultshell\themes\uxtheme\render.cppCompositedWindow::WindowdeletedrcacheMDIClientSoftware\Microsoft\Windows\DWMColorPrevalenceSoftware\Microsoft\Windows\CurrentVersion\ImmersiveShellTabletModeMENUAccentColorSoftware\Microsoft\Windows\CurrentVersion\Explorer\AccentDefaultStartColorControl Panel\DesktopAutoColorizationAccentColorMenuStartColorMenuAutoColorSoftware\Microsoft\Windows\CurrentVersion\Themes\History\ColorsSoftware\Microsoft\Windows\CurrentVersion\Themes\HistoryAccentPaletteTab$Shell_TrayWndLocal\SessionImmersiveColorMutex
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeCode function: 0_2_00BA0698 cpuid 0_2_00BA0698
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeCode function: 0_2_00BDD21C GetLocalTime,0_2_00BDD21C
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeCode function: 0_2_00BDD27A GetUserNameW,0_2_00BDD27A
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeCode function: 0_2_00BBB952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,0_2_00BBB952
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeCode function: 0_2_00B842DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00B842DE

    Stealing of Sensitive Information

    barindex
    Yara detected Credential Flusher
    Source: Yara matchFile source: Process Memory Space: kjDPynh9vQ.exe PID: 7556, type: MEMORYSTR
    Source: kjDPynh9vQ.exeBinary or memory string: WIN_81
    Source: kjDPynh9vQ.exeBinary or memory string: WIN_XP
    Source: kjDPynh9vQ.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
    Source: kjDPynh9vQ.exeBinary or memory string: WIN_XPe
    Source: kjDPynh9vQ.exeBinary or memory string: WIN_VISTA
    Source: kjDPynh9vQ.exeBinary or memory string: WIN_7
    Source: kjDPynh9vQ.exeBinary or memory string: WIN_8

    Remote Access Functionality

    barindex
    Yara detected Credential Flusher
    Source: Yara matchFile source: Process Memory Space: kjDPynh9vQ.exe PID: 7556, type: MEMORYSTR
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeCode function: 0_2_00C01204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,0_2_00C01204
    Source: C:\Users\user\Desktop\kjDPynh9vQ.exeCode function: 0_2_00C01806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00C01806

    Mitre Att&ck Matrix

    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity InformationAcquire Infrastructure2
    Valid Accounts    		1
    Windows Management Instrumentation    		1
    DLL Side-Loading    		1
    Exploitation for Privilege Escalation    		2
    Disable or Modify Tools    		21
    Input Capture    		2
    System Time Discovery    		Remote Services1
    Archive Collected Data    		2
    Ingress Tool Transfer    		Exfiltration Over Other Network Medium1
    System Shutdown/Reboot
    CredentialsDomainsDefault Accounts1
    Native API    		2
    Valid Accounts    		1
    DLL Side-Loading    		1
    Deobfuscate/Decode Files or Information    		LSASS Memory1
    Account Discovery    		Remote Desktop Protocol21
    Input Capture    		12
    Encrypted Channel    		Exfiltration Over BluetoothNetwork Denial of Service
    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
    Extra Window Memory Injection    		2
    Obfuscated Files or Information    		Security Account Manager2
    File and Directory Discovery    		SMB/Windows Admin Shares3
    Clipboard Data    		2
    Non-Application Layer Protocol    		Automated ExfiltrationData Encrypted for Impact
    Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
    Valid Accounts    		1
    DLL Side-Loading    		NTDS16
    System Information Discovery    		Distributed Component Object ModelInput Capture3
    Application Layer Protocol    		Traffic DuplicationData Destruction
    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script21
    Access Token Manipulation    		1
    Extra Window Memory Injection    		LSA Secrets131
    Security Software Discovery    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts2
    Process Injection    		1
    Masquerading    		Cached Domain Credentials11
    Virtualization/Sandbox Evasion    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
    Valid Accounts    		DCSync3
    Process Discovery    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job11
    Virtualization/Sandbox Evasion    		Proc Filesystem1
    Application Window Discovery    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt21
    Access Token Manipulation    		/etc/passwd and /etc/shadow1
    System Owner/User Discovery    		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
    IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron2
    Process Injection    		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet
    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1576611 Sample: kjDPynh9vQ.exe Startdate: 17/12/2024 Architecture: WINDOWS Score: 80 45 youtube.com 2->45 47 youtube-ui.l.google.com 2->47 49 34 other IPs or domains 2->49 57 Antivirus / Scanner detection for submitted sample 2->57 59 Multi AV Scanner detection for submitted file 2->59 61 Yara detected Credential Flusher 2->61 63 3 other signatures 2->63 8 kjDPynh9vQ.exe 2->8         started        11 firefox.exe 1 2->11         started        signatures3 process4 signatures5 65 Binary is likely a compiled AutoIt script file 8->65 67 Found API chain indicative of sandbox detection 8->67 13 taskkill.exe 1 8->13         started        15 taskkill.exe 1 8->15         started        17 taskkill.exe 1 8->17         started        23 3 other processes 8->23 19 firefox.exe 3 202 11->19         started        process6 dnsIp7 25 conhost.exe 13->25         started        27 conhost.exe 15->27         started        29 conhost.exe 17->29         started        51 youtube.com 142.250.201.46, 443, 49740, 49741 GOOGLEUS United States 19->51 53 prod.detectportal.prod.cloudops.mozgcp.net 34.107.221.82, 49739, 49752, 49756 GOOGLEUS United States 19->53 55 11 other IPs or domains 19->55 41 C:\Users\user\AppData\...\gmpopenh264.dll.tmp, PE32+ 19->41 dropped 43 C:\Users\user\...\gmpopenh264.dll (copy), PE32+ 19->43 dropped 31 firefox.exe 1 19->31         started        33 firefox.exe 1 19->33         started        35 firefox.exe 1 19->35         started        37 conhost.exe 23->37         started        39 conhost.exe 23->39         started        file8 process9

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    kjDPynh9vQ.exe32%VirustotalBrowse
    kjDPynh9vQ.exe37%ReversingLabsWin32.Ransomware.Generic
    kjDPynh9vQ.exe100%AviraTR/ATRAPS.Gen
    kjDPynh9vQ.exe100%Joe Sandbox ML

    Dropped Files

    SourceDetectionScannerLabelLink
    C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)0%ReversingLabs
    C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)0%VirustotalBrowse
    C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp0%ReversingLabs
    C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp0%VirustotalBrowse

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    No Antivirus matches

    Domains and IPs

    Contacted Domains

    NameIPActiveMaliciousAntivirus DetectionReputation
    example.org
    		93.184.215.14
    		truefalse
      		high
      star-mini.c10r.facebook.com
      		157.240.196.35
      		truefalse
        		high
        prod.classify-client.prod.webservices.mozgcp.net
        		35.190.72.216
        		truefalse
          		high
          prod.balrog.prod.cloudops.mozgcp.net
          		35.244.181.201
          		truefalse
            		high
            twitter.com
            		104.244.42.193
            		truefalse
              		high
              prod.detectportal.prod.cloudops.mozgcp.net
              		34.107.221.82
              		truefalse
                		high
                services.addons.mozilla.org
                		151.101.193.91
                		truefalse
                  		high
                  s-part-0035.t-0009.t-msedge.net
                  		13.107.246.63
                  		truefalse
                    		high
                    dyna.wikimedia.org
                    		185.15.58.224
                    		truefalse
                      		high
                      prod.remote-settings.prod.webservices.mozgcp.net
                      		34.149.100.209
                      		truefalse
                        		high
                        contile.services.mozilla.com
                        		34.117.188.166
                        		truefalse
                          		high
                          youtube.com
                          		142.250.201.46
                          		truefalse
                            		high
                            prod.content-signature-chains.prod.webservices.mozgcp.net
                            		34.160.144.191
                            		truefalse
                              		high
                              youtube-ui.l.google.com
                              		172.217.19.174
                              		truefalse
                                		high
                                us-west1.prod.sumo.prod.webservices.mozgcp.net
                                		34.149.128.2
                                		truefalse
                                  		high
                                  reddit.map.fastly.net
                                  		151.101.129.140
                                  		truefalse
                                    		high
                                    ipv4only.arpa
                                    		192.0.0.170
                                    		truefalse
                                      		high
                                      prod.ads.prod.webservices.mozgcp.net
                                      		34.117.188.166
                                      		truefalse
                                        		high
                                        push.services.mozilla.com
                                        		34.107.243.93
                                        		truefalse
                                          		high
                                          normandy-cdn.services.mozilla.com
                                          		35.201.103.21
                                          		truefalse
                                            		high
                                            telemetry-incoming.r53-2.services.mozilla.com
                                            		34.120.208.123
                                            		truefalse
                                              		high
                                              www.reddit.com
                                              		unknown
                                              		unknownfalse
                                                		high
                                                spocs.getpocket.com
                                                		unknown
                                                		unknownfalse
                                                  		high
                                                  content-signature-2.cdn.mozilla.net
                                                  		unknown
                                                  		unknownfalse
                                                    		high
                                                    support.mozilla.org
                                                    		unknown
                                                    		unknownfalse
                                                      		high
                                                      firefox.settings.services.mozilla.com
                                                      		unknown
                                                      		unknownfalse
                                                        		high
                                                        www.youtube.com
                                                        		unknown
                                                        		unknownfalse
                                                          		high
                                                          www.facebook.com
                                                          		unknown
                                                          		unknownfalse
                                                            		high
                                                            detectportal.firefox.com
                                                            		unknown
                                                            		unknownfalse
                                                              		high
                                                              normandy.cdn.mozilla.net
                                                              		unknown
                                                              		unknownfalse
                                                                		high
                                                                shavar.services.mozilla.com
                                                                		unknown
                                                                		unknownfalse
                                                                  		high
                                                                  www.wikipedia.org
                                                                  		unknown
                                                                  		unknownfalse
                                                                    		high

                                                                    URLs from Memory and Binaries

                                                                    NameSourceMaliciousAntivirus DetectionReputation
                                                                    https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-firefox.exe, 00000010.00000002.2623815349.000001E59F100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2622424834.000001BBBBB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2623663375.000001FF30950000.00000002.10000000.00040000.00000000.sdmpfalse
                                                                      		high
                                                                      https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_lfirefox.exe, 00000013.00000002.2618073891.000001FF307C4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%firefox.exe, 00000010.00000002.2623815349.000001E59F100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2622424834.000001BBBBB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2623663375.000001FF30950000.00000002.10000000.00040000.00000000.sdmpfalse
                                                                          		high
                                                                          https://datastudio.google.com/embed/reporting/firefox.exe, 0000000E.00000003.1584816930.000001175DA51000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://www.mozilla.com0gmpopenh264.dll.tmp.14.drfalse
                                                                              		high
                                                                              https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecyclfirefox.exe, 0000000E.00000003.1519636785.000001176433A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://merino.services.mozilla.com/api/v1/suggestfirefox.exe, 00000012.00000002.2618028535.000001BBBB685000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.2618073891.000001FF3078F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://json-schema.org/draft/2019-09/schema.firefox.exe, 0000000E.00000003.1628070910.000001175D1E7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1590457510.000001175D1E7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protectfirefox.exe, 00000010.00000002.2623815349.000001E59F100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2622424834.000001BBBBB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2623663375.000001FF30950000.00000002.10000000.00040000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://www.leboncoin.fr/firefox.exe, 0000000E.00000003.1555951897.000001175E17C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1445367988.000001175CF64000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://spocs.getpocket.com/spocsfirefox.exe, 0000000E.00000003.1554648937.000001175E299000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1597430981.0000011757ED8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1589292006.000001175D649000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://www.amazon.com/exec/obidos/external-search/?field-keywords=&ie=UTF-8&mode=blended&tag=mozillfirefox.exe, 0000000E.00000003.1466359594.00000117642D0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://screenshots.firefox.comfirefox.exe, 0000000E.00000003.1597430981.0000011757EBA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              https://completion.amazon.com/search/complete?q=firefox.exe, 0000000E.00000003.1418857928.000001175B91B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1419733855.000001175B97C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1419583867.000001175B967000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1419100634.000001175B934000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1419440141.000001175B94D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1418222719.000001175B700000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-reportfirefox.exe, 00000010.00000002.2623815349.000001E59F100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2622424834.000001BBBBB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2623663375.000001FF30950000.00000002.10000000.00040000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  https://ads.stickyadstv.com/firefox-etpfirefox.exe, 0000000E.00000003.1585054705.000001175DA30000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1466939019.000001175DAA5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    https://identity.mozilla.com/ids/ecosystem_telemetryUfirefox.exe, 0000000E.00000003.1600557915.000001176796F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tabfirefox.exe, 00000010.00000002.2623815349.000001E59F100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2622424834.000001BBBBB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2623663375.000001FF30950000.00000002.10000000.00040000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        https://monitor.firefox.com/breach-details/firefox.exe, 00000010.00000002.2623815349.000001E59F100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2622424834.000001BBBBB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2623663375.000001FF30950000.00000002.10000000.00040000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          https://github.com/w3c/csswg-drafts/issues/4650firefox.exe, 0000000E.00000003.1442398415.000001175F7D4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1551280237.000001175F7D4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEMfirefox.exe, 00000010.00000002.2623815349.000001E59F100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2622424834.000001BBBBB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2623663375.000001FF30950000.00000002.10000000.00040000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              https://www.amazon.com/exec/obidos/external-search/firefox.exe, 0000000E.00000003.1536625545.000001175DDF8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1418857928.000001175B91B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1510241422.000001175DDF8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1583421733.0000011764AF0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1472261839.000001175DDF8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1419733855.000001175B97C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1419583867.000001175B967000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1475413886.000001175DDF8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1419100634.000001175B934000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1419440141.000001175B94D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1418222719.000001175B700000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1576140732.0000011764AF0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                https://profiler.firefox.com/firefox.exe, 0000000E.00000003.1596226988.0000011759E56000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  https://www.msn.comfirefox.exe, 0000000E.00000003.1550108167.0000011764090000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1610952868.0000011764090000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1577147529.0000011764090000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696495411400900000.1&ci=1696495411208.12791&ctafirefox.exe, 00000010.00000002.2620621261.000001E59F0CB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2618028535.000001BBBB6EA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.2623975465.000001FF30A03000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.14.drfalse
                                                                                                                      		high
                                                                                                                      https://support.mozilla.org/products/firefoxgro.allizom.troppus.GNzbMA16ssY5firefox.exe, 0000000E.00000003.1547197439.00000117679BF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        https://github.com/mozilla-services/screenshotsfirefox.exe, 0000000E.00000003.1418857928.000001175B91B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1419583867.000001175B967000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1419100634.000001175B934000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1419440141.000001175B94D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1418222719.000001175B700000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          https://services.addons.mozilla.org/api/v4/addons/addon/firefox.exe, 00000010.00000002.2623815349.000001E59F100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2622424834.000001BBBBB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2623663375.000001FF30950000.00000002.10000000.00040000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            https://tracking-protection-issues.herokuapp.com/newfirefox.exe, 00000010.00000002.2623815349.000001E59F100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2622424834.000001BBBBB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2623663375.000001FF30950000.00000002.10000000.00040000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-reportfirefox.exe, 00000010.00000002.2623815349.000001E59F100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2622424834.000001BBBBB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2623663375.000001FF30950000.00000002.10000000.00040000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                https://youtube.com/firefox.exe, 0000000E.00000003.1550108167.000001176406F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  https://content-signature-2.cdn.mozilla.net/firefox.exe, 0000000E.00000003.1626230870.000001175D665000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    https://json-schema.org/draft/2020-12/schema/=firefox.exe, 0000000E.00000003.1628070910.000001175D1E7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1590457510.000001175D1E7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      https://www.instagram.com/firefox.exe, 0000000E.00000003.1472700511.000001175D0A9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-reportfirefox.exe, 00000010.00000002.2623815349.000001E59F100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2622424834.000001BBBBB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2623663375.000001FF30950000.00000002.10000000.00040000.00000000.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          https://api.accounts.firefox.com/v1firefox.exe, 00000010.00000002.2623815349.000001E59F100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2622424834.000001BBBBB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2623663375.000001FF30950000.00000002.10000000.00040000.00000000.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            https://ok.ru/firefox.exe, 0000000E.00000003.1615545224.000001175E052000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              https://www.amazon.com/firefox.exe, 0000000E.00000003.1571961254.0000011768299000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1590198631.000001175D317000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                https://addons.mozilla.org/%LOCALE%/%APP%/blocked-addon/%addonID%/%addonVersion%/firefox.exe, 00000010.00000002.2623815349.000001E59F100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2622424834.000001BBBBB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2623663375.000001FF30950000.00000002.10000000.00040000.00000000.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  https://fpn.firefox.comfirefox.exe, 0000000E.00000003.1596442007.0000011758B55000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                    		high
                                                                                                                                                    https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTabMozRequestFullScfirefox.exe, 0000000E.00000003.1574438687.0000011767E08000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                      		high
                                                                                                                                                      https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protectionsfirefox.exe, 00000010.00000002.2623815349.000001E59F100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2622424834.000001BBBBB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2623663375.000001FF30950000.00000002.10000000.00040000.00000000.sdmpfalse
                                                                                                                                                        		high
                                                                                                                                                        https://www.amazon.co.uk/CSVfirefox.exe, 0000000E.00000003.1445367988.000001175CF64000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                          		high
                                                                                                                                                          http://ocsp.rootca1.amazontrust.com0:firefox.exe, 0000000E.00000003.1592329803.000001175C2E9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                            		high
                                                                                                                                                            https://www.youtube.com/firefox.exe, 0000000E.00000003.1615545224.000001175E052000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2618028535.000001BBBB603000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.2618073891.000001FF3070C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                              		high
                                                                                                                                                              https://bugzilla.mozilla.org/show_bug.cgi?id=1283601firefox.exe, 0000000E.00000003.1475105659.0000011765C63000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1475016021.0000011765C49000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                		high
                                                                                                                                                                https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shieldfirefox.exe, 00000010.00000002.2623815349.000001E59F100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2622424834.000001BBBBB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2623663375.000001FF30950000.00000002.10000000.00040000.00000000.sdmpfalse
                                                                                                                                                                  		high
                                                                                                                                                                  https://www.bbc.co.uk/firefox.exe, 0000000E.00000003.1555951897.000001175E17C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                    		high
                                                                                                                                                                    https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=firefox.exe, 00000013.00000002.2618073891.000001FF307C4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                      		high
                                                                                                                                                                      http://127.0.0.1:firefox.exe, 0000000E.00000003.1595113250.000001175B67B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1611632931.0000011764055000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1615545224.000001175E052000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2623815349.000001E59F100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2622424834.000001BBBBB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2623663375.000001FF30950000.00000002.10000000.00040000.00000000.sdmpfalse
                                                                                                                                                                        		high
                                                                                                                                                                        https://bugzilla.mozilla.org/show_bug.cgi?id=1266220firefox.exe, 0000000E.00000003.1475151375.0000011765C44000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1475016021.0000011765C49000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1475283867.0000011765C3C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                          		high
                                                                                                                                                                          https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152firefox.exe, 0000000E.00000003.1537614959.000001175DB27000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                            		high
                                                                                                                                                                            https://bugzilla.mofirefox.exe, 0000000E.00000003.1622375559.00000117676BD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                              		high
                                                                                                                                                                              https://mitmdetection.services.mozilla.com/firefox.exe, 00000010.00000002.2623815349.000001E59F100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2622424834.000001BBBBB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2623663375.000001FF30950000.00000002.10000000.00040000.00000000.sdmpfalse
                                                                                                                                                                                		high
                                                                                                                                                                                https://static.adsafeprotected.com/firefox-etp-jsfirefox.exe, 0000000E.00000003.1616745609.000001175DCB8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1586858972.000001175DCAE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1590850308.000001175DCAE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1556297977.000001175DCAE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1466939019.000001175DAA5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                  		high
                                                                                                                                                                                  https://youtube.com/account?=recovery.jsonlz4.tmp.14.drfalse
                                                                                                                                                                                    		high
                                                                                                                                                                                    https://shavar.services.mozilla.com/firefox.exe, 0000000E.00000003.1576818484.000001176413A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                      		high
                                                                                                                                                                                      https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpgfirefox.exe, 00000010.00000002.2620621261.000001E59F0CB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2618028535.000001BBBB6EA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.2623975465.000001FF30A03000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.14.drfalse
                                                                                                                                                                                        		high
                                                                                                                                                                                        https://developer.mozilla.org/docs/Web/API/Element/releasePointerCapturefirefox.exe, 0000000E.00000003.1574438687.0000011767E06000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                          		high
                                                                                                                                                                                          https://spocs.getpocket.com/firefox.exe, 0000000E.00000003.1554648937.000001175E299000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1623471754.000001175F75A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1442398415.000001175F75A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1607070018.0000011765ED6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2618028535.000001BBBB612000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.2618073891.000001FF30713000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                            		high
                                                                                                                                                                                            https://services.addons.mozilla.org/api/v4/abuse/report/addon/firefox.exe, 00000010.00000002.2623815349.000001E59F100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2622424834.000001BBBBB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2623663375.000001FF30950000.00000002.10000000.00040000.00000000.sdmpfalse
                                                                                                                                                                                              		high
                                                                                                                                                                                              https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%firefox.exe, 00000010.00000002.2623815349.000001E59F100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2622424834.000001BBBBB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2623663375.000001FF30950000.00000002.10000000.00040000.00000000.sdmpfalse
                                                                                                                                                                                                		high
                                                                                                                                                                                                https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-ffirefox.exe, 00000010.00000002.2623815349.000001E59F100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2622424834.000001BBBBB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2623663375.000001FF30950000.00000002.10000000.00040000.00000000.sdmpfalse
                                                                                                                                                                                                  		high
                                                                                                                                                                                                  https://www.iqiyi.com/firefox.exe, 0000000E.00000003.1555951897.000001175E17C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1615545224.000001175E052000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                    		high
                                                                                                                                                                                                    https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_rfirefox.exe, 00000010.00000002.2623815349.000001E59F100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2622424834.000001BBBBB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2623663375.000001FF30950000.00000002.10000000.00040000.00000000.sdmpfalse
                                                                                                                                                                                                      		high
                                                                                                                                                                                                      https://monitor.firefox.com/user/breach-stats?includeResolved=truefirefox.exe, 00000010.00000002.2623815349.000001E59F100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2622424834.000001BBBBB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2623663375.000001FF30950000.00000002.10000000.00040000.00000000.sdmpfalse
                                                                                                                                                                                                        		high
                                                                                                                                                                                                        https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-reportfirefox.exe, 00000010.00000002.2623815349.000001E59F100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2622424834.000001BBBBB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2623663375.000001FF30950000.00000002.10000000.00040000.00000000.sdmpfalse
                                                                                                                                                                                                          		high
                                                                                                                                                                                                          https://bugzilla.mozilla.org/show_bug.cgi?id=1584464firefox.exe, 0000000E.00000003.1442398415.000001175F7D4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1551280237.000001175F7D4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                            		high
                                                                                                                                                                                                            http://a9.com/-/spec/opensearch/1.0/firefox.exe, 0000000E.00000003.1601574102.000001176455E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                              		high
                                                                                                                                                                                                              https://safebrowsing.google.com/safebrowsing/diagnostic?site=firefox.exe, 00000010.00000002.2623815349.000001E59F100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2622424834.000001BBBBB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2623663375.000001FF30950000.00000002.10000000.00040000.00000000.sdmpfalse
                                                                                                                                                                                                                		high
                                                                                                                                                                                                                http://www.inbox.lv/rfc2368/?value=%sufirefox.exe, 0000000E.00000003.1595323217.0000011759EA1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                  		high
                                                                                                                                                                                                                  https://monitor.firefox.com/user/dashboardfirefox.exe, 00000010.00000002.2623815349.000001E59F100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2622424834.000001BBBBB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2623663375.000001FF30950000.00000002.10000000.00040000.00000000.sdmpfalse
                                                                                                                                                                                                                    		high
                                                                                                                                                                                                                    https://bugzilla.mozilla.org/show_bug.cgi?id=1170143firefox.exe, 0000000E.00000003.1475151375.0000011765C44000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                      		high
                                                                                                                                                                                                                      https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_IDfirefox.exe, 00000010.00000002.2623815349.000001E59F100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2622424834.000001BBBBB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2623663375.000001FF30950000.00000002.10000000.00040000.00000000.sdmpfalse
                                                                                                                                                                                                                        		high
                                                                                                                                                                                                                        https://monitor.firefox.com/aboutfirefox.exe, 00000010.00000002.2623815349.000001E59F100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2622424834.000001BBBBB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2623663375.000001FF30950000.00000002.10000000.00040000.00000000.sdmpfalse
                                                                                                                                                                                                                          		high
                                                                                                                                                                                                                          http://mozilla.org/MPL/2.0/.firefox.exe, 0000000E.00000003.1549433566.0000011764182000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1518465499.000001175D0A1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1556213710.000001175DCE2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1585482009.000001175C31F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1555623445.000001175E1BF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1582535165.000001175DB43000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1510551041.000001175D09D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1519636785.0000011764315000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1595323217.0000011759EB6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1506324855.000001175DBAF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1517910570.000001175B2FC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1567186187.000001175D0AB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1545540793.000001175DB78000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1579462149.000001175DD31000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1594557892.000001175BEBE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1506825569.000001175DB71000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1520355193.000001175F5DF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1585620429.000001175C08E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1510551041.000001175D0A1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1552326270.000001175F272000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1472700511.000001175D0A9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                            		high
                                                                                                                                                                                                                            https://account.bellmedia.cfirefox.exe, 0000000E.00000003.1550108167.0000011764090000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1610952868.0000011764090000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1577147529.0000011764090000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                              		high
                                                                                                                                                                                                                              https://login.microsoftonline.comfirefox.exe, 0000000E.00000003.1550108167.0000011764090000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1610952868.0000011764090000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1577147529.0000011764090000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                		high
                                                                                                                                                                                                                                https://coverage.mozilla.orgfirefox.exe, 00000010.00000002.2623815349.000001E59F100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2622424834.000001BBBBB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2623663375.000001FF30950000.00000002.10000000.00040000.00000000.sdmpfalse
                                                                                                                                                                                                                                  		high
                                                                                                                                                                                                                                  http://crl.thawte.com/ThawteTimestampingCA.crl0gmpopenh264.dll.tmp.14.drfalse
                                                                                                                                                                                                                                    		high
                                                                                                                                                                                                                                    https://www.zhihu.com/firefox.exe, 0000000E.00000003.1578731608.000001175F4F9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1623730487.000001175F4F9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1615545224.000001175E052000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                      		high
                                                                                                                                                                                                                                      http://x1.c.lencr.org/0firefox.exe, 0000000E.00000003.1592329803.000001175C2E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1549872314.0000011764144000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                        		high
                                                                                                                                                                                                                                        http://x1.i.lencr.org/0firefox.exe, 0000000E.00000003.1592329803.000001175C2E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1549872314.0000011764144000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                          		high
                                                                                                                                                                                                                                          http://a9.com/-/spec/opensearch/1.1/firefox.exe, 0000000E.00000003.1601574102.000001176455E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                            		high
                                                                                                                                                                                                                                            https://infra.spec.whatwg.org/#ascii-whitespacefirefox.exe, 0000000E.00000003.1519636785.000001176433A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                              		high
                                                                                                                                                                                                                                              https://blocked.cdn.mozilla.net/firefox.exe, 00000010.00000002.2623815349.000001E59F100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2622424834.000001BBBBB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2623663375.000001FF30950000.00000002.10000000.00040000.00000000.sdmpfalse
                                                                                                                                                                                                                                                		high
                                                                                                                                                                                                                                                https://json-schema.org/draft/2019-09/schemafirefox.exe, 0000000E.00000003.1601574102.000001176455E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1445367988.000001175CF64000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                                  		high
                                                                                                                                                                                                                                                  https://profiler.firefox.comfirefox.exe, 00000010.00000002.2623815349.000001E59F100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2622424834.000001BBBBB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2623663375.000001FF30950000.00000002.10000000.00040000.00000000.sdmpfalse
                                                                                                                                                                                                                                                    		high
                                                                                                                                                                                                                                                    https://outlook.live.com/default.aspx?rru=compose&to=%sfirefox.exe, 0000000E.00000003.1595323217.0000011759EA1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1420884359.000001175B133000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1529172822.000001175B131000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1507805926.000001175B10F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                                      		high
                                                                                                                                                                                                                                                      https://bugzilla.mozilla.org/show_bug.cgi?id=793869firefox.exe, 0000000E.00000003.1475151375.0000011765C44000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                                        		high
                                                                                                                                                                                                                                                        https://identity.mozilla.com/apps/relayfirefox.exe, 0000000E.00000003.1581808244.000001175DA96000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1587259918.000001175DA96000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1584366631.000001175DA96000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                                          		high
                                                                                                                                                                                                                                                          https://mozilla.cloudflare-dns.com/dns-queryfirefox.exe, 00000010.00000002.2623815349.000001E59F100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2622424834.000001BBBBB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2623663375.000001FF30950000.00000002.10000000.00040000.00000000.sdmpfalse
                                                                                                                                                                                                                                                            		high
                                                                                                                                                                                                                                                            https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2firefox.exe, 0000000E.00000003.1578992514.000001175F18F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1612969633.000001175F198000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                                              		high
                                                                                                                                                                                                                                                              https://bugzilla.mozilla.org/show_bug.cgi?id=1678448firefox.exe, 0000000E.00000003.1475326815.0000011765C4E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1475151375.0000011765C44000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1475105659.0000011765C63000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1475016021.0000011765C49000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1475283867.0000011765C3C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                                                		high
                                                                                                                                                                                                                                                                https://mail.yahoo.co.jp/compose/?To=%sfirefox.exe, 0000000E.00000003.1595323217.0000011759EA1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1420884359.000001175B133000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1529172822.000001175B131000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1507805926.000001175B10F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                                                  		high
                                                                                                                                                                                                                                                                  https://contile.services.mozilla.com/v1/tilesfirefox.exe, 0000000E.00000003.1611828370.000001175F7DF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2623815349.000001E59F100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2622424834.000001BBBBB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2623663375.000001FF30950000.00000002.10000000.00040000.00000000.sdmpfalse
                                                                                                                                                                                                                                                                    		high
                                                                                                                                                                                                                                                                    https://www.amazon.co.uk/firefox.exe, 0000000E.00000003.1555951897.000001175E17C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1445367988.000001175CF64000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                                                      		high
                                                                                                                                                                                                                                                                      https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/firefox.exe, 0000000E.00000003.1547197439.00000117679DB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                                                        		high
                                                                                                                                                                                                                                                                        https://monitor.firefox.com/user/preferencesfirefox.exe, 00000010.00000002.2623815349.000001E59F100000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2622424834.000001BBBBB70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2623663375.000001FF30950000.00000002.10000000.00040000.00000000.sdmpfalse
                                                                                                                                                                                                                                                                          		high
                                                                                                                                                                                                                                                                          https://screenshots.firefox.com/firefox.exe, 0000000E.00000003.1418222719.000001175B700000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1596442007.0000011758B55000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                                                            		high

                                                                                                                                                                                                                                                                            World Map of Contacted IPs

                                                                                                                                                                                                                                                                            • No. of IPs < 25%
                                                                                                                                                                                                                                                                            • 25% < No. of IPs < 50%
                                                                                                                                                                                                                                                                            • 50% < No. of IPs < 75%
                                                                                                                                                                                                                                                                            • 75% < No. of IPs

                                                                                                                                                                                                                                                                            Public IPs

                                                                                                                                                                                                                                                                            IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                                                                                                            34.149.100.209
                                                                                                                                                                                                                                                                            		prod.remote-settings.prod.webservices.mozgcp.netUnited States
                                                                                                                                                                                                                                                                            		2686ATGS-MMD-ASUSfalse
                                                                                                                                                                                                                                                                            34.107.243.93
                                                                                                                                                                                                                                                                            		push.services.mozilla.comUnited States
                                                                                                                                                                                                                                                                            		15169GOOGLEUSfalse
                                                                                                                                                                                                                                                                            34.107.221.82
                                                                                                                                                                                                                                                                            		prod.detectportal.prod.cloudops.mozgcp.netUnited States
                                                                                                                                                                                                                                                                            		15169GOOGLEUSfalse
                                                                                                                                                                                                                                                                            35.244.181.201
                                                                                                                                                                                                                                                                            		prod.balrog.prod.cloudops.mozgcp.netUnited States
                                                                                                                                                                                                                                                                            		15169GOOGLEUSfalse
                                                                                                                                                                                                                                                                            34.117.188.166
                                                                                                                                                                                                                                                                            		contile.services.mozilla.comUnited States
                                                                                                                                                                                                                                                                            		139070GOOGLE-AS-APGoogleAsiaPacificPteLtdSGfalse
                                                                                                                                                                                                                                                                            151.101.193.91
                                                                                                                                                                                                                                                                            		services.addons.mozilla.orgUnited States
                                                                                                                                                                                                                                                                            		54113FASTLYUSfalse
                                                                                                                                                                                                                                                                            35.201.103.21
                                                                                                                                                                                                                                                                            		normandy-cdn.services.mozilla.comUnited States
                                                                                                                                                                                                                                                                            		15169GOOGLEUSfalse
                                                                                                                                                                                                                                                                            35.190.72.216
                                                                                                                                                                                                                                                                            		prod.classify-client.prod.webservices.mozgcp.netUnited States
                                                                                                                                                                                                                                                                            		15169GOOGLEUSfalse
                                                                                                                                                                                                                                                                            34.160.144.191
                                                                                                                                                                                                                                                                            		prod.content-signature-chains.prod.webservices.mozgcp.netUnited States
                                                                                                                                                                                                                                                                            		2686ATGS-MMD-ASUSfalse
                                                                                                                                                                                                                                                                            142.250.201.46
                                                                                                                                                                                                                                                                            		youtube.comUnited States
                                                                                                                                                                                                                                                                            		15169GOOGLEUSfalse
                                                                                                                                                                                                                                                                            34.120.208.123
                                                                                                                                                                                                                                                                            		telemetry-incoming.r53-2.services.mozilla.comUnited States
                                                                                                                                                                                                                                                                            		15169GOOGLEUSfalse

                                                                                                                                                                                                                                                                            Private

                                                                                                                                                                                                                                                                            IP
                                                                                                                                                                                                                                                                            127.0.0.1

                                                                                                                                                                                                                                                                            General Information

                                                                                                                                                                                                                                                                            Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                                                                                                                                            Analysis ID:1576611
                                                                                                                                                                                                                                                                            Start date and time:2024-12-17 10:19:12 +01:00
                                                                                                                                                                                                                                                                            Joe Sandbox product:CloudBasic
                                                                                                                                                                                                                                                                            Overall analysis duration:0h 7m 11s
                                                                                                                                                                                                                                                                            Hypervisor based Inspection enabled:false
                                                                                                                                                                                                                                                                            Report type:full
                                                                                                                                                                                                                                                                            Cookbook file name:default.jbs
                                                                                                                                                                                                                                                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                                                                                                                            Number of analysed new started processes analysed:24
                                                                                                                                                                                                                                                                            Number of new started drivers analysed:0
                                                                                                                                                                                                                                                                            Number of existing processes analysed:0
                                                                                                                                                                                                                                                                            Number of existing drivers analysed:0
                                                                                                                                                                                                                                                                            Number of injected processes analysed:0
                                                                                                                                                                                                                                                                            Technologies:
                                                                                                                                                                                                                                                                            • HCA enabled
                                                                                                                                                                                                                                                                            • EGA enabled
                                                                                                                                                                                                                                                                            • AMSI enabled
                                                                                                                                                                                                                                                                            Analysis Mode:default
                                                                                                                                                                                                                                                                            Analysis stop reason:Timeout
                                                                                                                                                                                                                                                                            Sample name:kjDPynh9vQ.exe
                                                                                                                                                                                                                                                                            renamed because original name is a hash value
                                                                                                                                                                                                                                                                            Original Sample Name:a94e88b82d8b95386186b27736dff926.exe
                                                                                                                                                                                                                                                                            Detection:MAL
                                                                                                                                                                                                                                                                            Classification:mal80.troj.evad.winEXE@34/34@66/12
                                                                                                                                                                                                                                                                            EGA Information:
                                                                                                                                                                                                                                                                            • Successful, ratio: 50%
                                                                                                                                                                                                                                                                            HCA Information:
                                                                                                                                                                                                                                                                            • Successful, ratio: 96%
                                                                                                                                                                                                                                                                            • Number of executed functions: 48
                                                                                                                                                                                                                                                                            • Number of non-executed functions: 304
                                                                                                                                                                                                                                                                            Cookbook Comments:
                                                                                                                                                                                                                                                                            • Found application associated with file extension: .exe

                                                                                                                                                                                                                                                                            Warnings

                                                                                                                                                                                                                                                                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                                                                                                                                                                                                                                            • Excluded IPs from analysis (whitelisted): 52.40.120.141, 44.228.225.150, 35.85.93.176, 142.250.181.74, 172.217.17.46, 88.221.134.155, 88.221.134.209, 142.250.200.238, 13.107.246.63, 23.218.208.109, 20.12.23.50
                                                                                                                                                                                                                                                                            • Excluded domains from analysis (whitelisted): fs.microsoft.com, shavar.prod.mozaws.net, ciscobinary.openh264.org, slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, incoming.telemetry.mozilla.org, a17.rackcdn.com.mdc.edgesuite.net, detectportal.prod.mozaws.net, aus5.mozilla.org, fe3cr.delivery.mp.microsoft.com, a19.dscg10.akamai.net, redirector.gvt1.com, azureedge-t-prod.trafficmanager.net, safebrowsing.googleapis.com, location.services.mozilla.com
                                                                                                                                                                                                                                                                            • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                                                                                                                            • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                                                                                                                                            • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                                                                                                                                                                            • Report size getting too big, too many NtCreateFile calls found.
                                                                                                                                                                                                                                                                            • Report size getting too big, too many NtOpenFile calls found.
                                                                                                                                                                                                                                                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                                                                                                                            • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                                                                                                                                                                                                            Simulations

                                                                                                                                                                                                                                                                            Behavior and APIs

                                                                                                                                                                                                                                                                            TimeTypeDescription
                                                                                                                                                                                                                                                                            04:20:17API Interceptor1x Sleep call for process: firefox.exe modified

                                                                                                                                                                                                                                                                            Joe Sandbox View / Context

                                                                                                                                                                                                                                                                            IPs

                                                                                                                                                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                                                            34.117.188.166file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                                                                                              fNlxQP0jBz.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                LbgqLv7gT7.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                  fNlxQP0jBz.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                    LbgqLv7gT7.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                      file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                                                                                                        P0HV8mjHS1.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                          P0HV8mjHS1.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                            mdPov8VTwi.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                              mdPov8VTwi.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                151.101.193.916eftz6UKDm.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                  nmy4mJXEaz.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                    file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VenomRAT, VidarBrowse
                                                                                                                                                                                                                                                                                                      file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                                                                                                                        file.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                          file.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                            file.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                              file.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                                file.exeGet hashmaliciousAmadey, Credential Flusher, Stealc, VidarBrowse
                                                                                                                                                                                                                                                                                                                  file.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                                    34.149.100.209fNlxQP0jBz.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                                      LbgqLv7gT7.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                                        fNlxQP0jBz.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                                          LbgqLv7gT7.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                                            P0HV8mjHS1.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                                              P0HV8mjHS1.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                                                mdPov8VTwi.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                                                  mdPov8VTwi.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                                                    nmy4mJXEaz.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                                                      6eftz6UKDm.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                                                        34.160.144.191file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                                                                                                                                                          fNlxQP0jBz.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                                                            LbgqLv7gT7.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                                                              fNlxQP0jBz.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                                                                LbgqLv7gT7.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                                                                  file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                                                                                                                                                                    P0HV8mjHS1.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                                                                      P0HV8mjHS1.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                                                                        mdPov8VTwi.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                                                                          mdPov8VTwi.exeGet hashmaliciousCredential FlusherBrowse

                                                                                                                                                                                                                                                                                                                                                            Domains

                                                                                                                                                                                                                                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                                                                                                                                            example.orgfile.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LiteHTTP Bot, LummaC Stealer, Stealc, XmrigBrowse
                                                                                                                                                                                                                                                                                                                                                            • 93.184.215.14
                                                                                                                                                                                                                                                                                                                                                            file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LiteHTTP Bot, LummaC Stealer, Stealc, XmrigBrowse
                                                                                                                                                                                                                                                                                                                                                            • 93.184.215.14
                                                                                                                                                                                                                                                                                                                                                            file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                                                                                                                                                                            • 93.184.215.14
                                                                                                                                                                                                                                                                                                                                                            fNlxQP0jBz.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                                                                            • 93.184.215.14
                                                                                                                                                                                                                                                                                                                                                            LbgqLv7gT7.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                                                                            • 93.184.215.14
                                                                                                                                                                                                                                                                                                                                                            fNlxQP0jBz.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                                                                            • 93.184.215.14
                                                                                                                                                                                                                                                                                                                                                            LbgqLv7gT7.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                                                                            • 93.184.215.14
                                                                                                                                                                                                                                                                                                                                                            file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Cryptbot, DCRat, LummaC Stealer, PureLog StealerBrowse
                                                                                                                                                                                                                                                                                                                                                            • 93.184.215.14
                                                                                                                                                                                                                                                                                                                                                            file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                                                                                                                                                                            • 93.184.215.14
                                                                                                                                                                                                                                                                                                                                                            P0HV8mjHS1.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                                                                            • 93.184.215.14
                                                                                                                                                                                                                                                                                                                                                            star-mini.c10r.facebook.comfile.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LiteHTTP Bot, LummaC Stealer, Stealc, XmrigBrowse
                                                                                                                                                                                                                                                                                                                                                            • 157.240.195.35
                                                                                                                                                                                                                                                                                                                                                            file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LiteHTTP Bot, LummaC Stealer, Stealc, XmrigBrowse
                                                                                                                                                                                                                                                                                                                                                            • 157.240.195.35
                                                                                                                                                                                                                                                                                                                                                            http://inspirafinancial.comGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                                                                                                                            • 157.240.195.35
                                                                                                                                                                                                                                                                                                                                                            https://business.livechathelpsuite.comGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                                                                                                                            • 157.240.196.35
                                                                                                                                                                                                                                                                                                                                                            fNlxQP0jBz.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                                                                            • 157.240.195.35
                                                                                                                                                                                                                                                                                                                                                            LbgqLv7gT7.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                                                                            • 157.240.195.35
                                                                                                                                                                                                                                                                                                                                                            fNlxQP0jBz.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                                                                            • 157.240.196.35
                                                                                                                                                                                                                                                                                                                                                            LbgqLv7gT7.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                                                                            • 157.240.196.35
                                                                                                                                                                                                                                                                                                                                                            file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Cryptbot, DCRat, LummaC Stealer, PureLog StealerBrowse
                                                                                                                                                                                                                                                                                                                                                            • 157.240.196.35
                                                                                                                                                                                                                                                                                                                                                            https://afw.soundestlink.com/ce/c/675c127e5a5226f9e7b86686/675c13ae85cd17d1e3e2ab54/675c13c9f9a08fb1fbb3e577?signature=3f4d77f7452e61cf1e0cb9ce4a3540d02af0944caf975b089573a2fc1d891103Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                                                                                                                            • 157.240.195.35
                                                                                                                                                                                                                                                                                                                                                            twitter.comfile.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LiteHTTP Bot, LummaC Stealer, Stealc, XmrigBrowse
                                                                                                                                                                                                                                                                                                                                                            • 104.244.42.193
                                                                                                                                                                                                                                                                                                                                                            file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LiteHTTP Bot, LummaC Stealer, Stealc, XmrigBrowse
                                                                                                                                                                                                                                                                                                                                                            • 104.244.42.129
                                                                                                                                                                                                                                                                                                                                                            fNlxQP0jBz.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                                                                            • 104.244.42.193
                                                                                                                                                                                                                                                                                                                                                            LbgqLv7gT7.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                                                                            • 104.244.42.193
                                                                                                                                                                                                                                                                                                                                                            fNlxQP0jBz.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                                                                            • 104.244.42.193
                                                                                                                                                                                                                                                                                                                                                            LbgqLv7gT7.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                                                                            • 104.244.42.193
                                                                                                                                                                                                                                                                                                                                                            file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Cryptbot, DCRat, LummaC Stealer, PureLog StealerBrowse
                                                                                                                                                                                                                                                                                                                                                            • 104.244.42.129
                                                                                                                                                                                                                                                                                                                                                            P0HV8mjHS1.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                                                                            • 104.244.42.129
                                                                                                                                                                                                                                                                                                                                                            P0HV8mjHS1.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                                                                            • 104.244.42.193

                                                                                                                                                                                                                                                                                                                                                            ASNs

                                                                                                                                                                                                                                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                                                                                                                                            GOOGLE-AS-APGoogleAsiaPacificPteLtdSGhttp://inspirafinancial.comGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                                                                                                                            • 34.117.77.79
                                                                                                                                                                                                                                                                                                                                                            Tbconsulting Company Guidelines Employee Handbook.docxGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                                                                                                                            • 34.117.77.79
                                                                                                                                                                                                                                                                                                                                                            file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                                                                                                                                                                            • 34.117.188.166
                                                                                                                                                                                                                                                                                                                                                            fNlxQP0jBz.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                                                                            • 34.117.188.166
                                                                                                                                                                                                                                                                                                                                                            LbgqLv7gT7.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                                                                            • 34.117.188.166
                                                                                                                                                                                                                                                                                                                                                            fNlxQP0jBz.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                                                                            • 34.117.188.166
                                                                                                                                                                                                                                                                                                                                                            LbgqLv7gT7.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                                                                            • 34.117.188.166
                                                                                                                                                                                                                                                                                                                                                            1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                                                                                                                            • 34.117.59.81
                                                                                                                                                                                                                                                                                                                                                            1734347766284d20dc9a2ac535c59f41881efe888891552ad79abf01710e07a6dadfae2b13366.dat-decoded.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                                                                                                                            • 34.117.59.81
                                                                                                                                                                                                                                                                                                                                                            file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                                                                                                                                                                            • 34.117.188.166
                                                                                                                                                                                                                                                                                                                                                            FASTLYUSgreatnicefeatureswithsupercodebnaturalthingsinlineforgiven.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                                                                                                                                                                                                                                                                                                                            • 151.101.193.137
                                                                                                                                                                                                                                                                                                                                                            https://quarantine-emails13122024bcpe038qua8303rantine0832411.s3.eu-central-3.ionoscloud.com/message.html#anneke.hanekom@mmiholdings.co.zaGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                                                                                                                                                            • 151.101.130.137
                                                                                                                                                                                                                                                                                                                                                            DHL.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                                                                                                                                                                            • 185.199.110.153
                                                                                                                                                                                                                                                                                                                                                            https://essind.freshdesk.com/en/support/solutions/articles/157000010576-pedido-553268637Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                                                                                                                            • 151.101.194.137
                                                                                                                                                                                                                                                                                                                                                            seethebestmethodwithgreatnessgoodnewsgreatdaygivenme.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                                                                                                                                                                                                                                                                                                                            • 151.101.1.137
                                                                                                                                                                                                                                                                                                                                                            sweetnesswithgreatnessiwthbestthingswithmebackickmegreatthings.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                                                                                                                                                                                                                                                                                                                            • 151.101.193.137
                                                                                                                                                                                                                                                                                                                                                            createdbetterthingswithgreatnressgivenmebackwithnice.htaGet hashmaliciousCobalt Strike, FormBookBrowse
                                                                                                                                                                                                                                                                                                                                                            • 151.101.1.137
                                                                                                                                                                                                                                                                                                                                                            ORDER-24171200967.XLS..jsGet hashmaliciousWSHRat, Caesium Obfuscator, STRRATBrowse
                                                                                                                                                                                                                                                                                                                                                            • 199.232.196.209
                                                                                                                                                                                                                                                                                                                                                            https://ivsmn.kidsavancados.com/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                                                                                                                            • 151.101.131.6
                                                                                                                                                                                                                                                                                                                                                            https://uvcr.ovactanag.ru/jQXv/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                                                                                                                            • 151.101.130.137
                                                                                                                                                                                                                                                                                                                                                            ATGS-MMD-ASUSjf2jJnlcYf.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                                                                                                                                                                                                                                                                                                                            • 34.141.219.230
                                                                                                                                                                                                                                                                                                                                                            fqw6IYYEwz.exeGet hashmaliciousCryptbotBrowse
                                                                                                                                                                                                                                                                                                                                                            • 34.141.219.230
                                                                                                                                                                                                                                                                                                                                                            sd3o9UfOL4.exeGet hashmaliciousCryptbotBrowse
                                                                                                                                                                                                                                                                                                                                                            • 34.141.219.230
                                                                                                                                                                                                                                                                                                                                                            PytpTDxs17.exeGet hashmaliciousCryptbotBrowse
                                                                                                                                                                                                                                                                                                                                                            • 34.141.219.230
                                                                                                                                                                                                                                                                                                                                                            4Aoo17481q.exeGet hashmaliciousCryptbotBrowse
                                                                                                                                                                                                                                                                                                                                                            • 34.141.219.230
                                                                                                                                                                                                                                                                                                                                                            eL4XYAHUrt.exeGet hashmaliciousCryptbotBrowse
                                                                                                                                                                                                                                                                                                                                                            • 34.141.219.230
                                                                                                                                                                                                                                                                                                                                                            ldr.ps1Get hashmaliciousGO Miner, XmrigBrowse
                                                                                                                                                                                                                                                                                                                                                            • 48.122.163.149
                                                                                                                                                                                                                                                                                                                                                            1.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                                                                                                                            • 32.2.73.129
                                                                                                                                                                                                                                                                                                                                                            236236236.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                                                                                                                            • 34.140.19.13
                                                                                                                                                                                                                                                                                                                                                            file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                                                                                                                                                                            • 34.160.144.191
                                                                                                                                                                                                                                                                                                                                                            ATGS-MMD-ASUSjf2jJnlcYf.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                                                                                                                                                                                                                                                                                                                            • 34.141.219.230
                                                                                                                                                                                                                                                                                                                                                            fqw6IYYEwz.exeGet hashmaliciousCryptbotBrowse
                                                                                                                                                                                                                                                                                                                                                            • 34.141.219.230
                                                                                                                                                                                                                                                                                                                                                            sd3o9UfOL4.exeGet hashmaliciousCryptbotBrowse
                                                                                                                                                                                                                                                                                                                                                            • 34.141.219.230
                                                                                                                                                                                                                                                                                                                                                            PytpTDxs17.exeGet hashmaliciousCryptbotBrowse
                                                                                                                                                                                                                                                                                                                                                            • 34.141.219.230
                                                                                                                                                                                                                                                                                                                                                            4Aoo17481q.exeGet hashmaliciousCryptbotBrowse
                                                                                                                                                                                                                                                                                                                                                            • 34.141.219.230
                                                                                                                                                                                                                                                                                                                                                            eL4XYAHUrt.exeGet hashmaliciousCryptbotBrowse
                                                                                                                                                                                                                                                                                                                                                            • 34.141.219.230
                                                                                                                                                                                                                                                                                                                                                            ldr.ps1Get hashmaliciousGO Miner, XmrigBrowse
                                                                                                                                                                                                                                                                                                                                                            • 48.122.163.149
                                                                                                                                                                                                                                                                                                                                                            1.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                                                                                                                            • 32.2.73.129
                                                                                                                                                                                                                                                                                                                                                            236236236.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                                                                                                                            • 34.140.19.13
                                                                                                                                                                                                                                                                                                                                                            file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                                                                                                                                                                            • 34.160.144.191

                                                                                                                                                                                                                                                                                                                                                            JA3 Fingerprints

                                                                                                                                                                                                                                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                                                                                                                                            fb0aa01abe9d8e4037eb3473ca6e2dcafile.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                                                                                                                                                                            • 151.101.193.91
                                                                                                                                                                                                                                                                                                                                                            • 35.244.181.201
                                                                                                                                                                                                                                                                                                                                                            • 34.149.100.209
                                                                                                                                                                                                                                                                                                                                                            • 34.160.144.191
                                                                                                                                                                                                                                                                                                                                                            • 34.120.208.123
                                                                                                                                                                                                                                                                                                                                                            fNlxQP0jBz.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                                                                            • 151.101.193.91
                                                                                                                                                                                                                                                                                                                                                            • 35.244.181.201
                                                                                                                                                                                                                                                                                                                                                            • 34.149.100.209
                                                                                                                                                                                                                                                                                                                                                            • 34.160.144.191
                                                                                                                                                                                                                                                                                                                                                            • 34.120.208.123
                                                                                                                                                                                                                                                                                                                                                            LbgqLv7gT7.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                                                                            • 151.101.193.91
                                                                                                                                                                                                                                                                                                                                                            • 35.244.181.201
                                                                                                                                                                                                                                                                                                                                                            • 34.149.100.209
                                                                                                                                                                                                                                                                                                                                                            • 34.160.144.191
                                                                                                                                                                                                                                                                                                                                                            • 34.120.208.123
                                                                                                                                                                                                                                                                                                                                                            fNlxQP0jBz.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                                                                            • 151.101.193.91
                                                                                                                                                                                                                                                                                                                                                            • 35.244.181.201
                                                                                                                                                                                                                                                                                                                                                            • 34.149.100.209
                                                                                                                                                                                                                                                                                                                                                            • 34.160.144.191
                                                                                                                                                                                                                                                                                                                                                            • 34.120.208.123
                                                                                                                                                                                                                                                                                                                                                            LbgqLv7gT7.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                                                                            • 151.101.193.91
                                                                                                                                                                                                                                                                                                                                                            • 35.244.181.201
                                                                                                                                                                                                                                                                                                                                                            • 34.149.100.209
                                                                                                                                                                                                                                                                                                                                                            • 34.160.144.191
                                                                                                                                                                                                                                                                                                                                                            • 34.120.208.123
                                                                                                                                                                                                                                                                                                                                                            file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                                                                                                                                                                            • 151.101.193.91
                                                                                                                                                                                                                                                                                                                                                            • 35.244.181.201
                                                                                                                                                                                                                                                                                                                                                            • 34.149.100.209
                                                                                                                                                                                                                                                                                                                                                            • 34.160.144.191
                                                                                                                                                                                                                                                                                                                                                            • 34.120.208.123
                                                                                                                                                                                                                                                                                                                                                            P0HV8mjHS1.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                                                                            • 151.101.193.91
                                                                                                                                                                                                                                                                                                                                                            • 35.244.181.201
                                                                                                                                                                                                                                                                                                                                                            • 34.149.100.209
                                                                                                                                                                                                                                                                                                                                                            • 34.160.144.191
                                                                                                                                                                                                                                                                                                                                                            • 34.120.208.123
                                                                                                                                                                                                                                                                                                                                                            P0HV8mjHS1.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                                                                            • 151.101.193.91
                                                                                                                                                                                                                                                                                                                                                            • 35.244.181.201
                                                                                                                                                                                                                                                                                                                                                            • 34.149.100.209
                                                                                                                                                                                                                                                                                                                                                            • 34.160.144.191
                                                                                                                                                                                                                                                                                                                                                            • 34.120.208.123
                                                                                                                                                                                                                                                                                                                                                            mdPov8VTwi.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                                                                            • 151.101.193.91
                                                                                                                                                                                                                                                                                                                                                            • 35.244.181.201
                                                                                                                                                                                                                                                                                                                                                            • 34.149.100.209
                                                                                                                                                                                                                                                                                                                                                            • 34.160.144.191
                                                                                                                                                                                                                                                                                                                                                            • 34.120.208.123
                                                                                                                                                                                                                                                                                                                                                            mdPov8VTwi.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                                                                            • 151.101.193.91
                                                                                                                                                                                                                                                                                                                                                            • 35.244.181.201
                                                                                                                                                                                                                                                                                                                                                            • 34.149.100.209
                                                                                                                                                                                                                                                                                                                                                            • 34.160.144.191
                                                                                                                                                                                                                                                                                                                                                            • 34.120.208.123

                                                                                                                                                                                                                                                                                                                                                            Dropped Files

                                                                                                                                                                                                                                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                                                                                                                                            C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)fNlxQP0jBz.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                                                                              LbgqLv7gT7.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                                                                                fNlxQP0jBz.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                                                                                  LbgqLv7gT7.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                                                                                    P0HV8mjHS1.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                                                                                      P0HV8mjHS1.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                                                                                        mdPov8VTwi.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                                                                                          mdPov8VTwi.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                                                                                            nmy4mJXEaz.exeGet hashmaliciousCredential FlusherBrowse
                                                                                                                                                                                                                                                                                                                                                                              6eftz6UKDm.exeGet hashmaliciousCredential FlusherBrowse

                                                                                                                                                                                                                                                                                                                                                                                Created / dropped Files

                                                                                                                                                                                                                                                                                                                                                                                C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_32d69c12-f9c3-4400-a35c-babf82e972ae.json (copy)

                                                                                                                                                                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                                                                                                                                                                Process:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                                                File Type:JSON data
                                                                                                                                                                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                                                                                                                                                                Size (bytes):7962
                                                                                                                                                                                                                                                                                                                                                                                Entropy (8bit):5.178653365281598
                                                                                                                                                                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                                                                                                                                                                SSDEEP:192:IgSMXMOhcbhbVbTbfbRbObtbyEl7njrMJA6unSrDtTkdwSz4:IgnJcNhnzFSJDrf1nSrDhkdwB
                                                                                                                                                                                                                                                                                                                                                                                MD5:1AD763C6F9CB7AD27CDFD2E243E81BF8
                                                                                                                                                                                                                                                                                                                                                                                SHA1:C9150F69B069230654642E32A33C27C817C43FAF
                                                                                                                                                                                                                                                                                                                                                                                SHA-256:21EBCFAE721FA1DD74E5A523F0E912AB0B9EDD4972503C0E95DF138344CD26B0
                                                                                                                                                                                                                                                                                                                                                                                SHA-512:A39608433EB92A4B48AD83B1A8CF55C315962F749CD0BA73F057869DA7C434527CBEC118A039EB8C789C2214EB29628D6B2A5FE6F608DD09DDE52DCE7D9E84B1
                                                                                                                                                                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                                                                                                                                                                Preview:{"type":"uninstall","id":"32d69c12-f9c3-4400-a35c-babf82e972ae","creationDate":"2024-12-17T11:12:15.939Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"925ffdea-713b-4a0d-8648-4d4e3cf3260c","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

                                                                                                                                                                                                                                                                                                                                                                                C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_32d69c12-f9c3-4400-a35c-babf82e972ae.json.tmp

                                                                                                                                                                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                                                                                                                                                                Process:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                                                File Type:JSON data
                                                                                                                                                                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                                                                                                                                                                Size (bytes):7962
                                                                                                                                                                                                                                                                                                                                                                                Entropy (8bit):5.178653365281598
                                                                                                                                                                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                                                                                                                                                                SSDEEP:192:IgSMXMOhcbhbVbTbfbRbObtbyEl7njrMJA6unSrDtTkdwSz4:IgnJcNhnzFSJDrf1nSrDhkdwB
                                                                                                                                                                                                                                                                                                                                                                                MD5:1AD763C6F9CB7AD27CDFD2E243E81BF8
                                                                                                                                                                                                                                                                                                                                                                                SHA1:C9150F69B069230654642E32A33C27C817C43FAF
                                                                                                                                                                                                                                                                                                                                                                                SHA-256:21EBCFAE721FA1DD74E5A523F0E912AB0B9EDD4972503C0E95DF138344CD26B0
                                                                                                                                                                                                                                                                                                                                                                                SHA-512:A39608433EB92A4B48AD83B1A8CF55C315962F749CD0BA73F057869DA7C434527CBEC118A039EB8C789C2214EB29628D6B2A5FE6F608DD09DDE52DCE7D9E84B1
                                                                                                                                                                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                                                                                                                                                                Preview:{"type":"uninstall","id":"32d69c12-f9c3-4400-a35c-babf82e972ae","creationDate":"2024-12-17T11:12:15.939Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"925ffdea-713b-4a0d-8648-4d4e3cf3260c","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

                                                                                                                                                                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

                                                                                                                                                                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                                                                                                                                                                Process:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                                                File Type:ISO Media, MP4 Base Media v1 [ISO 14496-12:2003]
                                                                                                                                                                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                                                                                                                                                                Size (bytes):32768
                                                                                                                                                                                                                                                                                                                                                                                Entropy (8bit):0.4593089050301797
                                                                                                                                                                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                                                                                                                                                                SSDEEP:48:9SP0nUgwyZXYI65yFRX2D3GNTTfyn0Mk1iA:9SDKaIjo3UzyE1L
                                                                                                                                                                                                                                                                                                                                                                                MD5:D910AD167F0217587501FDCDB33CC544
                                                                                                                                                                                                                                                                                                                                                                                SHA1:2F57441CEFDC781011B53C1C5D29AC54835AFC1D
                                                                                                                                                                                                                                                                                                                                                                                SHA-256:E3699D9404A3FFC1AFF0CA8A3972DC0EF38BDAB927741E9F627C7C55CEA42E81
                                                                                                                                                                                                                                                                                                                                                                                SHA-512:F1871BF28FF25EE52BDB99C7A80AB715C7CAC164DCD2FD87E681168EE927FD2C5E80E03C91BB638D955A4627213BF575FF4D9EECAEDA7718C128CF2CE8F7CB3D
                                                                                                                                                                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                                                                                                                                                                Preview:... ftypisom....isomiso2avc1mp41....free....mdat..........E...H..,. .#..x264 - core 152 r2851 ba24899 - H.264/MPEG-4 AVC codec - Copyleft 2003-2017 - http://www.videolan.org/x264.html - options: cabac=1 ref=3 deblock=1:0:0 analyse=0x3:0x113 me=hex subme=7 psy=1 psy_rd=1.00:0.00 mixed_ref=1 me_range=16 chroma_me=1 trellis=1 8x8dct=1 cqm=0 deadzone=21,11 fast_pskip=1 chroma_qp_offset=-2 threads=4 lookahead_threads=1 sliced_threads=0 nr=0 decimate=1 interlaced=0 bluray_compat=0 constrained_intra=0 bframes=3 b_pyramid=2 b_adapt=1 b_bias=0 direct=1 weightb=1 open_gop=0 weightp=2 keyint=250 keyint_min=25 scenecut=40 intra_refresh=0 rc_lookahead=40 rc=crf mbtree=1 crf=23.0 qcomp=0.60 qpmin=0 qpmax=69 qpstep=4 ip_ratio=1.40 aq=1:1.00......e...+...s|.kG3...'.u.."...,J.w.~.d\..(K....!.+..;....h....(.T.*...M......0..~L..8..B..A.y..R..,.zBP.';j.@.].w..........c......C=.'f....gI.$^.......m5V.L...{U..%V[....8......B..i..^,....:...,..5.m.%dA....moov...lmvhd...................(...........

                                                                                                                                                                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\tmpaddon

                                                                                                                                                                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                                                                                                                                                                Process:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                                                File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                                                                                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                                                                                                                                                                Size (bytes):453023
                                                                                                                                                                                                                                                                                                                                                                                Entropy (8bit):7.997718157581587
                                                                                                                                                                                                                                                                                                                                                                                Encrypted:true
                                                                                                                                                                                                                                                                                                                                                                                SSDEEP:12288:tESTeqTI2r4ZbCgUKWKNeRcPMb6qlV7hVZe3:tEsed2Xh9/bdzZe3
                                                                                                                                                                                                                                                                                                                                                                                MD5:85430BAED3398695717B0263807CF97C
                                                                                                                                                                                                                                                                                                                                                                                SHA1:FFFBEE923CEA216F50FCE5D54219A188A5100F41
                                                                                                                                                                                                                                                                                                                                                                                SHA-256:A9F4281F82B3579581C389E8583DC9F477C7FD0E20C9DFC91A2E611E21E3407E
                                                                                                                                                                                                                                                                                                                                                                                SHA-512:06511F1F6C6D44D076B3C593528C26A602348D9C41689DBF5FF716B671C3CA5756B12CB2E5869F836DEDCE27B1A5CFE79B93C707FD01F8E84B620923BB61B5F1
                                                                                                                                                                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                                                                                                                                                                Preview:PK.........bN...R..........gmpopenh264.dll..|.E.0.=..I.....1....4f1q.`.........q.....'+....h*m{.z..o_.{w........$..($A!...|L...B&A2.s.{..Dd......c.U.U..9u.S...K.l`...../.d.-....|.....&....9......wn..x......i.#O.+.Y.l......+....,3.3f..\..c.SSS,............N...GG...F.'.&.:'.K.Z&.>.@.g..M...M.`...*.........ZR....^jg.G.Kb.o~va.....<Z..1.#.O.e.....D..X..i..$imBW..Q&.......P.....,M.,..:.c...-...\......*.....-i.K.I..4.a..6..*...Ov=...W..F.CH.>...a.'.x...#@f...d..u.1....OV.1o}....g.5.._.3.J.Hi.Z.ipM....b.Z....%.G..F................/..3.q..J.....o...%.g.N.*.}..).3.N%.!..q*........^I.m..~...6.#.~+.....A...I]r...x..*.<IYj....p0..`S.M@.E..f.=.;!.@.....E..E....... .0.n....Jd..d......uM.-.qI.lR..z..=}..r.D.XLZ....x.$..|c.1.cUkM.&.Qn]..a]t.h..*.!.6 7..Jd.DvKJ"Wgd*%n...w...Jni.inmr.@M.$'Z.s....#)%..Rs..:.h....R....\..t.6..'.g.........Uj+F.cr:|..!..K.W.Y...17......,....r.....>.N..3.R.Y.._\...Ir.DNJdM... .k...&V-....z.%...-...D..i..&...6....7.2T).>..0..%.&.

                                                                                                                                                                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\ExperimentStoreData.json (copy)

                                                                                                                                                                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                                                                                                                                                                Process:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                                                File Type:JSON data
                                                                                                                                                                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                                                                                                                                                                Size (bytes):4282
                                                                                                                                                                                                                                                                                                                                                                                Entropy (8bit):4.932376496275519
                                                                                                                                                                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                                                                                                                                                                SSDEEP:96:LtlL8S+OgPUFuWOdwNIOd4fOIjvYoLTRL2g8P:5lL8S+OYUIWOdwiOd6tjRHRL2g8P
                                                                                                                                                                                                                                                                                                                                                                                MD5:F2F82CDA4218F74597701872F4833E78
                                                                                                                                                                                                                                                                                                                                                                                SHA1:33FB3EFFF26B62AC500D499A404082858B5B84ED
                                                                                                                                                                                                                                                                                                                                                                                SHA-256:C49794DC484D66890E4D8755BA0E8B3026F48670E02BE0CFE6CB0D28F4E602F8
                                                                                                                                                                                                                                                                                                                                                                                SHA-512:0D883A19FA9AE94A8E4A13A95486706E29462F881039252F7F86240DB38C48D23EFEA150C0477BC3EC74BBD37BCDD42BCAD628B11C99BB62649985B88169232E
                                                                                                                                                                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                                                                                                                                                                Preview:{"awesome-bar-result-menu-rollout-phase-1":{"slug":"awesome-bar-result-menu-rollout-phase-1","branch":{"slug":"control-rollout","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"resultMenu":true},"enabled":true,"featureId":"urlbar"}]},"active":true,"enrollmentId":"4a172078-7658-4e04-b71d-3ec1ff4a5bc8","experimentType":"rollout","source":"rs-loader","userFacingName":"Awesome Bar Result Menu Rollout (Phase 1)","userFacingDescription":"Testing out results menu options in the awesome bar.","lastSeen":"2023-10-05T09:02:05.924Z","featureIds":["urlbar"],"prefs":[],"isRollout":true},"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"9002f3f3-8d5

                                                                                                                                                                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\ExperimentStoreData.json.tmp

                                                                                                                                                                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                                                                                                                                                                Process:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                                                File Type:JSON data
                                                                                                                                                                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                                                                                                                                                                Size (bytes):4282
                                                                                                                                                                                                                                                                                                                                                                                Entropy (8bit):4.932376496275519
                                                                                                                                                                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                                                                                                                                                                SSDEEP:96:LtlL8S+OgPUFuWOdwNIOd4fOIjvYoLTRL2g8P:5lL8S+OYUIWOdwiOd6tjRHRL2g8P
                                                                                                                                                                                                                                                                                                                                                                                MD5:F2F82CDA4218F74597701872F4833E78
                                                                                                                                                                                                                                                                                                                                                                                SHA1:33FB3EFFF26B62AC500D499A404082858B5B84ED
                                                                                                                                                                                                                                                                                                                                                                                SHA-256:C49794DC484D66890E4D8755BA0E8B3026F48670E02BE0CFE6CB0D28F4E602F8
                                                                                                                                                                                                                                                                                                                                                                                SHA-512:0D883A19FA9AE94A8E4A13A95486706E29462F881039252F7F86240DB38C48D23EFEA150C0477BC3EC74BBD37BCDD42BCAD628B11C99BB62649985B88169232E
                                                                                                                                                                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                                                                                                                                                                Preview:{"awesome-bar-result-menu-rollout-phase-1":{"slug":"awesome-bar-result-menu-rollout-phase-1","branch":{"slug":"control-rollout","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"resultMenu":true},"enabled":true,"featureId":"urlbar"}]},"active":true,"enrollmentId":"4a172078-7658-4e04-b71d-3ec1ff4a5bc8","experimentType":"rollout","source":"rs-loader","userFacingName":"Awesome Bar Result Menu Rollout (Phase 1)","userFacingDescription":"Testing out results menu options in the awesome bar.","lastSeen":"2023-10-05T09:02:05.924Z","featureIds":["urlbar"],"prefs":[],"isRollout":true},"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"9002f3f3-8d5

                                                                                                                                                                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\addonStartup.json.lz4 (copy)

                                                                                                                                                                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                                                                                                                                                                Process:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                                                File Type:Mozilla lz4 compressed data, originally 22422 bytes
                                                                                                                                                                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                                                                                                                                                                Size (bytes):5308
                                                                                                                                                                                                                                                                                                                                                                                Entropy (8bit):6.601149658844169
                                                                                                                                                                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                                                                                                                                                                SSDEEP:96:z2YbKsKNU2xWrp327tGmD4wBON6h6cHAHJVauvjZHjkTymdS1/qTMg6xzm:zTx2x2t0FDJ4NpkuvjdeplTMBm
                                                                                                                                                                                                                                                                                                                                                                                MD5:0BFDECC7D32EE8DBC9F91DBA04D21AA3
                                                                                                                                                                                                                                                                                                                                                                                SHA1:CFDB1D6630D3A897BDA7FD49C1E2ACA2D5EDEB15
                                                                                                                                                                                                                                                                                                                                                                                SHA-256:D8476E7B654FEE0CDA912A675366FA4EAA0B71108A1692E5B936074DBDEBB68F
                                                                                                                                                                                                                                                                                                                                                                                SHA-512:DD581F7C6EF3A44CAB61CF2F7EFEF239EC73B025FB187B6024E9C6532884D888B9C6981EE1BDF4ECAA9056A642D9CBACFEE7D3525F4C953F738DFEFDFBA878F5
                                                                                                                                                                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                                                                                                                                                                Preview:mozLz40..W....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."*://login.microsoftonline.com/*","..@us/*L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay*....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

                                                                                                                                                                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\addonStartup.json.lz4.tmp

                                                                                                                                                                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                                                                                                                                                                Process:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                                                File Type:Mozilla lz4 compressed data, originally 22422 bytes
                                                                                                                                                                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                                                                                                                                                                Size (bytes):5308
                                                                                                                                                                                                                                                                                                                                                                                Entropy (8bit):6.601149658844169
                                                                                                                                                                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                                                                                                                                                                SSDEEP:96:z2YbKsKNU2xWrp327tGmD4wBON6h6cHAHJVauvjZHjkTymdS1/qTMg6xzm:zTx2x2t0FDJ4NpkuvjdeplTMBm
                                                                                                                                                                                                                                                                                                                                                                                MD5:0BFDECC7D32EE8DBC9F91DBA04D21AA3
                                                                                                                                                                                                                                                                                                                                                                                SHA1:CFDB1D6630D3A897BDA7FD49C1E2ACA2D5EDEB15
                                                                                                                                                                                                                                                                                                                                                                                SHA-256:D8476E7B654FEE0CDA912A675366FA4EAA0B71108A1692E5B936074DBDEBB68F
                                                                                                                                                                                                                                                                                                                                                                                SHA-512:DD581F7C6EF3A44CAB61CF2F7EFEF239EC73B025FB187B6024E9C6532884D888B9C6981EE1BDF4ECAA9056A642D9CBACFEE7D3525F4C953F738DFEFDFBA878F5
                                                                                                                                                                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                                                                                                                                                                Preview:mozLz40..W....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."*://login.microsoftonline.com/*","..@us/*L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay*....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

                                                                                                                                                                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\addons.json (copy)

                                                                                                                                                                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                                                                                                                                                                Process:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                                                File Type:JSON data
                                                                                                                                                                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                                                                                                                                                                Size (bytes):24
                                                                                                                                                                                                                                                                                                                                                                                Entropy (8bit):3.91829583405449
                                                                                                                                                                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                                                                                                                                                                SSDEEP:3:YWGifTJE6iHQ:YWGif9EE
                                                                                                                                                                                                                                                                                                                                                                                MD5:3088F0272D29FAA42ED452C5E8120B08
                                                                                                                                                                                                                                                                                                                                                                                SHA1:C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
                                                                                                                                                                                                                                                                                                                                                                                SHA-256:D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
                                                                                                                                                                                                                                                                                                                                                                                SHA-512:B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
                                                                                                                                                                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                                                                                                                                                                Preview:{"schema":6,"addons":[]}

                                                                                                                                                                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\addons.json.tmp

                                                                                                                                                                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                                                                                                                                                                Process:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                                                File Type:JSON data
                                                                                                                                                                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                                                                                                                                                                Size (bytes):24
                                                                                                                                                                                                                                                                                                                                                                                Entropy (8bit):3.91829583405449
                                                                                                                                                                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                                                                                                                                                                SSDEEP:3:YWGifTJE6iHQ:YWGif9EE
                                                                                                                                                                                                                                                                                                                                                                                MD5:3088F0272D29FAA42ED452C5E8120B08
                                                                                                                                                                                                                                                                                                                                                                                SHA1:C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
                                                                                                                                                                                                                                                                                                                                                                                SHA-256:D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
                                                                                                                                                                                                                                                                                                                                                                                SHA-512:B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
                                                                                                                                                                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                                                                                                                                                                Preview:{"schema":6,"addons":[]}

                                                                                                                                                                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\content-prefs.sqlite

                                                                                                                                                                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                                                                                                                                                                Process:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                                                File Type:SQLite 3.x database, user version 5, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 8, cookie 0x6, schema 4, largest root page 8, UTF-8, vacuum mode 1, version-valid-for 4
                                                                                                                                                                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                                                                                                                                                                Size (bytes):262144
                                                                                                                                                                                                                                                                                                                                                                                Entropy (8bit):0.04905141882491872
                                                                                                                                                                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                                                                                                                                                                SSDEEP:24:DLSvwae+Q8Uu50xj0aWe9LxYkKA25Q5tvAA:DKwae+QtMImelekKDa5
                                                                                                                                                                                                                                                                                                                                                                                MD5:8736A542C5564A922C47B19D9CC5E0F2
                                                                                                                                                                                                                                                                                                                                                                                SHA1:CE9D58967DA9B5356D6C1D8A482F9CE74DA9097A
                                                                                                                                                                                                                                                                                                                                                                                SHA-256:97CE5D8AFBB0AA610219C4FAC3927E32C91BFFD9FD971AF68C718E7B27E40077
                                                                                                                                                                                                                                                                                                                                                                                SHA-512:99777325893DC7A95FD49B2DA18D32D65F97CC7A8E482D78EDC32F63245457FA5A52750800C074D552D20B6A215604161FDC88763D93C76A8703470C3064196B
                                                                                                                                                                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                                                                                                                                                                Preview:SQLite format 3......@ ..........................................................................j......|....~.}.}z}-|.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\crashes\store.json.mozlz4 (copy)

                                                                                                                                                                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                                                                                                                                                                Process:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                                                File Type:Mozilla lz4 compressed data, originally 56 bytes
                                                                                                                                                                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                                                                                                                                                                Size (bytes):66
                                                                                                                                                                                                                                                                                                                                                                                Entropy (8bit):4.837595020998689
                                                                                                                                                                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                                                                                                                                                                SSDEEP:3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
                                                                                                                                                                                                                                                                                                                                                                                MD5:A6338865EB252D0EF8FCF11FA9AF3F0D
                                                                                                                                                                                                                                                                                                                                                                                SHA1:CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
                                                                                                                                                                                                                                                                                                                                                                                SHA-256:078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
                                                                                                                                                                                                                                                                                                                                                                                SHA-512:D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
                                                                                                                                                                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                                                                                                                                                                Preview:mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

                                                                                                                                                                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\crashes\store.json.mozlz4.tmp

                                                                                                                                                                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                                                                                                                                                                Process:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                                                File Type:Mozilla lz4 compressed data, originally 56 bytes
                                                                                                                                                                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                                                                                                                                                                Size (bytes):66
                                                                                                                                                                                                                                                                                                                                                                                Entropy (8bit):4.837595020998689
                                                                                                                                                                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                                                                                                                                                                SSDEEP:3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
                                                                                                                                                                                                                                                                                                                                                                                MD5:A6338865EB252D0EF8FCF11FA9AF3F0D
                                                                                                                                                                                                                                                                                                                                                                                SHA1:CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
                                                                                                                                                                                                                                                                                                                                                                                SHA-256:078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
                                                                                                                                                                                                                                                                                                                                                                                SHA-512:D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
                                                                                                                                                                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                                                                                                                                                                Preview:mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

                                                                                                                                                                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\extensions.json (copy)

                                                                                                                                                                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                                                                                                                                                                Process:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                                                File Type:JSON data
                                                                                                                                                                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                                                                                                                                                                Size (bytes):36830
                                                                                                                                                                                                                                                                                                                                                                                Entropy (8bit):5.1867460354193025
                                                                                                                                                                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                                                                                                                                                                SSDEEP:768:fI40vfAXP4B6t4y4Tq4E4YFS8RM4Vi4cj45f444i4x:frFZRJw
                                                                                                                                                                                                                                                                                                                                                                                MD5:7B0C90FC9D725F1C1620EF90ECFE6CFA
                                                                                                                                                                                                                                                                                                                                                                                SHA1:2042AAAB0A72DB12C25AB4836691EE7059706A6B
                                                                                                                                                                                                                                                                                                                                                                                SHA-256:89839AEC9AAEFD6E1755DD6BD7FB21E75E1F74364375EB6C35AB6C88398F5508
                                                                                                                                                                                                                                                                                                                                                                                SHA-512:7F3E4E8CF53F4BB83D47C15A7E5ED0B83E3C907633B67BDA9750748E9FFB3954B435702C42AE1ACEB7ABC294DF8F94B737897A0FD479F054A433796283F6D2CF
                                                                                                                                                                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                                                                                                                                                                Preview:{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{d063e708-a05a-4089-963d-a0e071e9f0e3}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

                                                                                                                                                                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\extensions.json.tmp

                                                                                                                                                                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                                                                                                                                                                Process:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                                                File Type:JSON data
                                                                                                                                                                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                                                                                                                                                                Size (bytes):36830
                                                                                                                                                                                                                                                                                                                                                                                Entropy (8bit):5.1867460354193025
                                                                                                                                                                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                                                                                                                                                                SSDEEP:768:fI40vfAXP4B6t4y4Tq4E4YFS8RM4Vi4cj45f444i4x:frFZRJw
                                                                                                                                                                                                                                                                                                                                                                                MD5:7B0C90FC9D725F1C1620EF90ECFE6CFA
                                                                                                                                                                                                                                                                                                                                                                                SHA1:2042AAAB0A72DB12C25AB4836691EE7059706A6B
                                                                                                                                                                                                                                                                                                                                                                                SHA-256:89839AEC9AAEFD6E1755DD6BD7FB21E75E1F74364375EB6C35AB6C88398F5508
                                                                                                                                                                                                                                                                                                                                                                                SHA-512:7F3E4E8CF53F4BB83D47C15A7E5ED0B83E3C907633B67BDA9750748E9FFB3954B435702C42AE1ACEB7ABC294DF8F94B737897A0FD479F054A433796283F6D2CF
                                                                                                                                                                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                                                                                                                                                                Preview:{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{d063e708-a05a-4089-963d-a0e071e9f0e3}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

                                                                                                                                                                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\favicons.sqlite-shm

                                                                                                                                                                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                                                                                                                                                                Process:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                                                File Type:data
                                                                                                                                                                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                                                                                                                                                                Size (bytes):32768
                                                                                                                                                                                                                                                                                                                                                                                Entropy (8bit):0.017262956703125623
                                                                                                                                                                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                                                                                                                                                                SSDEEP:3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
                                                                                                                                                                                                                                                                                                                                                                                MD5:B7C14EC6110FA820CA6B65F5AEC85911
                                                                                                                                                                                                                                                                                                                                                                                SHA1:608EEB7488042453C9CA40F7E1398FC1A270F3F4
                                                                                                                                                                                                                                                                                                                                                                                SHA-256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
                                                                                                                                                                                                                                                                                                                                                                                SHA-512:D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
                                                                                                                                                                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                                                                                                                                                                Preview:..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

                                                                                                                                                                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                                                                                                                                                                Process:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                                                                                                                                                                Size (bytes):1021904
                                                                                                                                                                                                                                                                                                                                                                                Entropy (8bit):6.648417932394748
                                                                                                                                                                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                                                                                                                                                                SSDEEP:12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
                                                                                                                                                                                                                                                                                                                                                                                MD5:FE3355639648C417E8307C6D051E3E37
                                                                                                                                                                                                                                                                                                                                                                                SHA1:F54602D4B4778DA21BC97C7238FC66AA68C8EE34
                                                                                                                                                                                                                                                                                                                                                                                SHA-256:1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
                                                                                                                                                                                                                                                                                                                                                                                SHA-512:8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
                                                                                                                                                                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                                                                                                                                • Antivirus: Virustotal, Detection: 0%, Browse
                                                                                                                                                                                                                                                                                                                                                                                Joe Sandbox View:
                                                                                                                                                                                                                                                                                                                                                                                • Filename: fNlxQP0jBz.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                                                                                                                                                • Filename: LbgqLv7gT7.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                                                                                                                                                • Filename: fNlxQP0jBz.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                                                                                                                                                • Filename: LbgqLv7gT7.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                                                                                                                                                • Filename: P0HV8mjHS1.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                                                                                                                                                • Filename: P0HV8mjHS1.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                                                                                                                                                • Filename: mdPov8VTwi.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                                                                                                                                                • Filename: mdPov8VTwi.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                                                                                                                                                • Filename: nmy4mJXEaz.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                                                                                                                                                • Filename: 6eftz6UKDm.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp

                                                                                                                                                                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                                                                                                                                                                Process:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                                                                                                                                                                Size (bytes):1021904
                                                                                                                                                                                                                                                                                                                                                                                Entropy (8bit):6.648417932394748
                                                                                                                                                                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                                                                                                                                                                SSDEEP:12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
                                                                                                                                                                                                                                                                                                                                                                                MD5:FE3355639648C417E8307C6D051E3E37
                                                                                                                                                                                                                                                                                                                                                                                SHA1:F54602D4B4778DA21BC97C7238FC66AA68C8EE34
                                                                                                                                                                                                                                                                                                                                                                                SHA-256:1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
                                                                                                                                                                                                                                                                                                                                                                                SHA-512:8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
                                                                                                                                                                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                                                                                                                                • Antivirus: Virustotal, Detection: 0%, Browse
                                                                                                                                                                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info (copy)

                                                                                                                                                                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                                                                                                                                                                Process:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                                                File Type:ASCII text
                                                                                                                                                                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                                                                                                                                                                Size (bytes):116
                                                                                                                                                                                                                                                                                                                                                                                Entropy (8bit):4.968220104601006
                                                                                                                                                                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                                                                                                                                                                SSDEEP:3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
                                                                                                                                                                                                                                                                                                                                                                                MD5:3D33CDC0B3D281E67DD52E14435DD04F
                                                                                                                                                                                                                                                                                                                                                                                SHA1:4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
                                                                                                                                                                                                                                                                                                                                                                                SHA-256:F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
                                                                                                                                                                                                                                                                                                                                                                                SHA-512:A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
                                                                                                                                                                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                                                                                                                                                                Preview:Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

                                                                                                                                                                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info.tmp

                                                                                                                                                                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                                                                                                                                                                Process:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                                                File Type:ASCII text
                                                                                                                                                                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                                                                                                                                                                Size (bytes):116
                                                                                                                                                                                                                                                                                                                                                                                Entropy (8bit):4.968220104601006
                                                                                                                                                                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                                                                                                                                                                SSDEEP:3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
                                                                                                                                                                                                                                                                                                                                                                                MD5:3D33CDC0B3D281E67DD52E14435DD04F
                                                                                                                                                                                                                                                                                                                                                                                SHA1:4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
                                                                                                                                                                                                                                                                                                                                                                                SHA-256:F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
                                                                                                                                                                                                                                                                                                                                                                                SHA-512:A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
                                                                                                                                                                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                                                                                                                                                                Preview:Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

                                                                                                                                                                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\permissions.sqlite

                                                                                                                                                                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                                                                                                                                                                Process:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                                                File Type:SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 4
                                                                                                                                                                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                                                                                                                                                                Size (bytes):98304
                                                                                                                                                                                                                                                                                                                                                                                Entropy (8bit):0.07338695179673393
                                                                                                                                                                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                                                                                                                                                                SSDEEP:12:DBl/A0OWla0mwPxRymgObsCVR45wcYR4fmnsCVR4zki6:DLhesh7Owd4+ji6
                                                                                                                                                                                                                                                                                                                                                                                MD5:F4167D016501A8238A129DD0A6CC8067
                                                                                                                                                                                                                                                                                                                                                                                SHA1:1DEC83DCB8010C0FF052CCDD7F4D1E0DA767D95A
                                                                                                                                                                                                                                                                                                                                                                                SHA-256:3815D77BC171FA68838D58D9427A81278A5AEB307E99AFB2AAF5A96E461DCC28
                                                                                                                                                                                                                                                                                                                                                                                SHA-512:134F158B631118AF212DD3D96E41F588DB1112BDE6D440EE46FC025EF250CB364EB20CBD79E676A99E9C7D811634DCF9C158A852735144EFC2F7199EC93EA094
                                                                                                                                                                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                                                                                                                                                                Preview:SQLite format 3......@ ..........................................................................j......~s..F~s........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\places.sqlite-shm

                                                                                                                                                                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                                                                                                                                                                Process:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                                                File Type:data
                                                                                                                                                                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                                                                                                                                                                Size (bytes):32768
                                                                                                                                                                                                                                                                                                                                                                                Entropy (8bit):0.035577876577226504
                                                                                                                                                                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                                                                                                                                                                SSDEEP:3:GtlstFYPHFIyDclltlstFYPHFIyD989//alEl:GtWtag/tWtaJ89XuM
                                                                                                                                                                                                                                                                                                                                                                                MD5:3F3BE74C2E545F6852E6CCF4FA401E13
                                                                                                                                                                                                                                                                                                                                                                                SHA1:1FC39B1FCB54CF33003D5B4F1D9142661785C788
                                                                                                                                                                                                                                                                                                                                                                                SHA-256:4BDB4D67EE4606D899463A8F8311962BB13F89AFC16ECF16C5FEC5124433E53C
                                                                                                                                                                                                                                                                                                                                                                                SHA-512:C2822518B794B6EDAD1E78E2720F7CE13CCD2CADC9E75E5877E1CAA95799A54C328A31B6C5D025430461843378CB6E973CF22DC13E1E3C54D75BB6234419B67B
                                                                                                                                                                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                                                                                                                                                                Preview:..-.....................O ....b...E=.+O.g.n.k.....-.....................O ....b...E=.+O.g.n.k...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\places.sqlite-wal

                                                                                                                                                                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                                                                                                                                                                Process:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                                                File Type:SQLite Write-Ahead Log, version 3007000
                                                                                                                                                                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                                                                                                                                                                Size (bytes):32824
                                                                                                                                                                                                                                                                                                                                                                                Entropy (8bit):0.03995818625313585
                                                                                                                                                                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                                                                                                                                                                SSDEEP:3:Ol1PYjBrD4o/fdnj4h9llll8rEXsxdwhml8XW3R2:K5otj47llll8dMhm93w
                                                                                                                                                                                                                                                                                                                                                                                MD5:5F941048CF188B00DC793D299B249ADD
                                                                                                                                                                                                                                                                                                                                                                                SHA1:7978D6C5E3FA6E83D62163B02EEF2FEC3D4B241F
                                                                                                                                                                                                                                                                                                                                                                                SHA-256:609D95C9692B66C5B60AA3D1D3C135593DC81577303E8A19E47CA3DC5FE61AFC
                                                                                                                                                                                                                                                                                                                                                                                SHA-512:112A71E31A87669B0966576B765AF4D0351DF48D703D4FC3C67730607E4EAEB4C2291B41E1BE3CB0F5055FC0455DB89A68E73CF59D9EB0430492ED6BE924DE1D
                                                                                                                                                                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                                                                                                                                                                Preview:7....-............E=.+O.....f..v..........E=.+O... O.b..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\prefs-1.js

                                                                                                                                                                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                                                                                                                                                                Process:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                                                File Type:ASCII text, with very long lines (1765), with CRLF line terminators
                                                                                                                                                                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                                                                                                                                                                Size (bytes):13209
                                                                                                                                                                                                                                                                                                                                                                                Entropy (8bit):5.479944330278101
                                                                                                                                                                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                                                                                                                                                                SSDEEP:192:edniR4lYbBp6tp0pUhUxaXG6Y4nysZM2oCNOj5RlbBNBw8dFSl:CecGpCU4Y4ysnouotpw+0
                                                                                                                                                                                                                                                                                                                                                                                MD5:22CF7F6952AD204E90C285EC050172F6
                                                                                                                                                                                                                                                                                                                                                                                SHA1:8A0BA88CBE75C7234E402D8C9F9E3ECF4CAD6CA5
                                                                                                                                                                                                                                                                                                                                                                                SHA-256:1C0034F449AF183FAA17930E0109108E41B6D46889D1FB3D51B2963E6A3CD41D
                                                                                                                                                                                                                                                                                                                                                                                SHA-512:77C8087753B0B88BB41EF1D4BBF396B877424149DC2E1343FA788AC0B3B7852E51F426DC71AE751F73ECE14E370E48A3DC5503C6966337213434BC57186FE412
                                                                                                                                                                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                                                                                                                                                                Preview:// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "d3d72102-142d-47cc-a7b7-5b20541f2540");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1734433906);..user_pref("app.update.lastUpdateTime.background-update-timer", 1734433906);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1734433906);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173443

                                                                                                                                                                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\prefs.js (copy)

                                                                                                                                                                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                                                                                                                                                                Process:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                                                File Type:ASCII text, with very long lines (1765), with CRLF line terminators
                                                                                                                                                                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                                                                                                                                                                Size (bytes):13209
                                                                                                                                                                                                                                                                                                                                                                                Entropy (8bit):5.479944330278101
                                                                                                                                                                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                                                                                                                                                                SSDEEP:192:edniR4lYbBp6tp0pUhUxaXG6Y4nysZM2oCNOj5RlbBNBw8dFSl:CecGpCU4Y4ysnouotpw+0
                                                                                                                                                                                                                                                                                                                                                                                MD5:22CF7F6952AD204E90C285EC050172F6
                                                                                                                                                                                                                                                                                                                                                                                SHA1:8A0BA88CBE75C7234E402D8C9F9E3ECF4CAD6CA5
                                                                                                                                                                                                                                                                                                                                                                                SHA-256:1C0034F449AF183FAA17930E0109108E41B6D46889D1FB3D51B2963E6A3CD41D
                                                                                                                                                                                                                                                                                                                                                                                SHA-512:77C8087753B0B88BB41EF1D4BBF396B877424149DC2E1343FA788AC0B3B7852E51F426DC71AE751F73ECE14E370E48A3DC5503C6966337213434BC57186FE412
                                                                                                                                                                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                                                                                                                                                                Preview:// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "d3d72102-142d-47cc-a7b7-5b20541f2540");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1734433906);..user_pref("app.update.lastUpdateTime.background-update-timer", 1734433906);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1734433906);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173443

                                                                                                                                                                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\protections.sqlite

                                                                                                                                                                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                                                                                                                                                                Process:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                                                File Type:SQLite 3.x database, user version 1, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 2, cookie 0x1, schema 4, UTF-8, version-valid-for 4
                                                                                                                                                                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                                                                                                                                                                Size (bytes):65536
                                                                                                                                                                                                                                                                                                                                                                                Entropy (8bit):0.04062825861060003
                                                                                                                                                                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                                                                                                                                                                SSDEEP:3:lSGBl/l/zl9l/AltllPltlnKollzvulJOlzALRWemFxu7TuRjBFbrl58lcV+wgn8:ltBl/lqN1K4BEJYqWvLue3FMOrMZ0l
                                                                                                                                                                                                                                                                                                                                                                                MD5:60C09456D6362C6FBED48C69AA342C3C
                                                                                                                                                                                                                                                                                                                                                                                SHA1:58B6E22DAA48C75958B429F662DEC1C011AE74D3
                                                                                                                                                                                                                                                                                                                                                                                SHA-256:FE1A432A2CD096B7EEA870D46D07F5197E34B4D10666E6E1C357FAA3F2FE2389
                                                                                                                                                                                                                                                                                                                                                                                SHA-512:936DBC887276EF07732783B50EAFE450A8598B0492B8F6C838B337EF3E8A6EA595E7C7A2FA4B3E881887FAAE2D207B953A4C65ED8C964D93118E00D3E03882BD
                                                                                                                                                                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                                                                                                                                                                Preview:SQLite format 3......@ ..........................................................................j.......x..x..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\sessionCheckpoints.json (copy)

                                                                                                                                                                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                                                                                                                                                                Process:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                                                File Type:JSON data
                                                                                                                                                                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                                                                                                                                                                Size (bytes):90
                                                                                                                                                                                                                                                                                                                                                                                Entropy (8bit):4.194538242412464
                                                                                                                                                                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                                                                                                                                                                SSDEEP:3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
                                                                                                                                                                                                                                                                                                                                                                                MD5:C4AB2EE59CA41B6D6A6EA911F35BDC00
                                                                                                                                                                                                                                                                                                                                                                                SHA1:5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
                                                                                                                                                                                                                                                                                                                                                                                SHA-256:00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
                                                                                                                                                                                                                                                                                                                                                                                SHA-512:71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
                                                                                                                                                                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                                                                                                                                                                Preview:{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

                                                                                                                                                                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\sessionCheckpoints.json.tmp

                                                                                                                                                                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                                                                                                                                                                Process:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                                                File Type:JSON data
                                                                                                                                                                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                                                                                                                                                                Size (bytes):90
                                                                                                                                                                                                                                                                                                                                                                                Entropy (8bit):4.194538242412464
                                                                                                                                                                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                                                                                                                                                                SSDEEP:3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
                                                                                                                                                                                                                                                                                                                                                                                MD5:C4AB2EE59CA41B6D6A6EA911F35BDC00
                                                                                                                                                                                                                                                                                                                                                                                SHA1:5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
                                                                                                                                                                                                                                                                                                                                                                                SHA-256:00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
                                                                                                                                                                                                                                                                                                                                                                                SHA-512:71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
                                                                                                                                                                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                                                                                                                                                                Preview:{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

                                                                                                                                                                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\sessionstore-backups\recovery.baklz4 (copy)

                                                                                                                                                                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                                                                                                                                                                Process:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                                                File Type:Mozilla lz4 compressed data, originally 5861 bytes
                                                                                                                                                                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                                                                                                                                                                Size (bytes):1579
                                                                                                                                                                                                                                                                                                                                                                                Entropy (8bit):6.364158535931596
                                                                                                                                                                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                                                                                                                                                                SSDEEP:24:v+USUGlcAxSMTlHqzLXnIg8/pnxQwRlszT5sKHUPoV3RHVz80NT/amhufJJOyROW:GUpOxTgzsnR6vJV3Rt/NT/MJO4gE
                                                                                                                                                                                                                                                                                                                                                                                MD5:E6DBB0C23182D0CABA12A5E272BC7392
                                                                                                                                                                                                                                                                                                                                                                                SHA1:F118821885D1BF315103E7377DBDC09460231B0F
                                                                                                                                                                                                                                                                                                                                                                                SHA-256:9FE273587F51764BA384666F792A6C0A46259F07CB5084776340BDE65750ABDF
                                                                                                                                                                                                                                                                                                                                                                                SHA-512:E064403645FC15CC7C01ECA02FFD3EE69E0F9B7981735450E6DCEB0475B6AEB55A8DA13D30E2EC5C4CD06F08A282BDA8E42C5890F1C5E3A64DB8F19F1F6FF831
                                                                                                                                                                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                                                                                                                                                                Preview:mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{4b3c6770-770f-4dfa-b3d1-d620930b286f}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1734433910820,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...3a9a5720-bff5-4c6e-b4c6-310a980401cc","zD..1...Wm..l........j..:....1":{..mUpdate...startTim..`875642...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...57690a852cf25691edcc5dba89528ccc77effc8490718525fd032e922bfe3184","pa..p"/","na..a"taarI|.Recure...,`.Donly..eexpiry....879145,"originA...."

                                                                                                                                                                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\sessionstore-backups\recovery.jsonlz4 (copy)

                                                                                                                                                                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                                                                                                                                                                Process:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                                                File Type:Mozilla lz4 compressed data, originally 5861 bytes
                                                                                                                                                                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                                                                                                                                                                Size (bytes):1579
                                                                                                                                                                                                                                                                                                                                                                                Entropy (8bit):6.364158535931596
                                                                                                                                                                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                                                                                                                                                                SSDEEP:24:v+USUGlcAxSMTlHqzLXnIg8/pnxQwRlszT5sKHUPoV3RHVz80NT/amhufJJOyROW:GUpOxTgzsnR6vJV3Rt/NT/MJO4gE
                                                                                                                                                                                                                                                                                                                                                                                MD5:E6DBB0C23182D0CABA12A5E272BC7392
                                                                                                                                                                                                                                                                                                                                                                                SHA1:F118821885D1BF315103E7377DBDC09460231B0F
                                                                                                                                                                                                                                                                                                                                                                                SHA-256:9FE273587F51764BA384666F792A6C0A46259F07CB5084776340BDE65750ABDF
                                                                                                                                                                                                                                                                                                                                                                                SHA-512:E064403645FC15CC7C01ECA02FFD3EE69E0F9B7981735450E6DCEB0475B6AEB55A8DA13D30E2EC5C4CD06F08A282BDA8E42C5890F1C5E3A64DB8F19F1F6FF831
                                                                                                                                                                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                                                                                                                                                                Preview:mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{4b3c6770-770f-4dfa-b3d1-d620930b286f}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1734433910820,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...3a9a5720-bff5-4c6e-b4c6-310a980401cc","zD..1...Wm..l........j..:....1":{..mUpdate...startTim..`875642...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...57690a852cf25691edcc5dba89528ccc77effc8490718525fd032e922bfe3184","pa..p"/","na..a"taarI|.Recure...,`.Donly..eexpiry....879145,"originA...."

                                                                                                                                                                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\sessionstore-backups\recovery.jsonlz4.tmp

                                                                                                                                                                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                                                                                                                                                                Process:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                                                File Type:Mozilla lz4 compressed data, originally 5861 bytes
                                                                                                                                                                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                                                                                                                                                                Size (bytes):1579
                                                                                                                                                                                                                                                                                                                                                                                Entropy (8bit):6.364158535931596
                                                                                                                                                                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                                                                                                                                                                SSDEEP:24:v+USUGlcAxSMTlHqzLXnIg8/pnxQwRlszT5sKHUPoV3RHVz80NT/amhufJJOyROW:GUpOxTgzsnR6vJV3Rt/NT/MJO4gE
                                                                                                                                                                                                                                                                                                                                                                                MD5:E6DBB0C23182D0CABA12A5E272BC7392
                                                                                                                                                                                                                                                                                                                                                                                SHA1:F118821885D1BF315103E7377DBDC09460231B0F
                                                                                                                                                                                                                                                                                                                                                                                SHA-256:9FE273587F51764BA384666F792A6C0A46259F07CB5084776340BDE65750ABDF
                                                                                                                                                                                                                                                                                                                                                                                SHA-512:E064403645FC15CC7C01ECA02FFD3EE69E0F9B7981735450E6DCEB0475B6AEB55A8DA13D30E2EC5C4CD06F08A282BDA8E42C5890F1C5E3A64DB8F19F1F6FF831
                                                                                                                                                                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                                                                                                                                                                Preview:mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{4b3c6770-770f-4dfa-b3d1-d620930b286f}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1734433910820,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...3a9a5720-bff5-4c6e-b4c6-310a980401cc","zD..1...Wm..l........j..:....1":{..mUpdate...startTim..`875642...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...57690a852cf25691edcc5dba89528ccc77effc8490718525fd032e922bfe3184","pa..p"/","na..a"taarI|.Recure...,`.Donly..eexpiry....879145,"originA...."

                                                                                                                                                                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\storage.sqlite

                                                                                                                                                                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                                                                                                                                                                Process:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                                                File Type:SQLite 3.x database, user version 131075, last written using SQLite version 3042000, page size 512, file counter 6, database pages 8, cookie 0x4, schema 4, UTF-8, version-valid-for 6
                                                                                                                                                                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                                                                                                                                                                Size (bytes):4096
                                                                                                                                                                                                                                                                                                                                                                                Entropy (8bit):2.0836444556178684
                                                                                                                                                                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                                                                                                                                                                SSDEEP:24:JBwdh/cEUcR9PzNFPFHx/GJRBdkOrDcRB1trwDeAq2gRMyxr3:jnEUo9LXtR+JdkOnohYsl
                                                                                                                                                                                                                                                                                                                                                                                MD5:8B40B1534FF0F4B533AF767EB5639A05
                                                                                                                                                                                                                                                                                                                                                                                SHA1:63EDB539EA39AD09D701A36B535C4C087AE08CC9
                                                                                                                                                                                                                                                                                                                                                                                SHA-256:AF275A19A5C2C682139266065D90C237282274D11C5619A121B7BDBDB252861B
                                                                                                                                                                                                                                                                                                                                                                                SHA-512:54AF707698CED33C206B1B193DA414D630901762E88E37E99885A50D4D5F8DDC28367C9B401DFE251CF0552B4FA446EE28F78A97C9096AFB0F2898BFBB673B53
                                                                                                                                                                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                                                                                                                                                                Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\targeting.snapshot.json (copy)

                                                                                                                                                                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                                                                                                                                                                Process:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                                                File Type:JSON data
                                                                                                                                                                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                                                                                                                                                                Size (bytes):4537
                                                                                                                                                                                                                                                                                                                                                                                Entropy (8bit):5.030868993888924
                                                                                                                                                                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                                                                                                                                                                SSDEEP:48:YrSAYUuwUQZpExB1+anO9WJVhAUVlhWFzzc87YMsku7f86SLAVL7y45FtsfAcbyk:ycUjTEr5taFzzcHvbw6KkSirc2Rn27
                                                                                                                                                                                                                                                                                                                                                                                MD5:423202E34BC4FEE2E12FD91175D0D0FD
                                                                                                                                                                                                                                                                                                                                                                                SHA1:33C0E6F972AF3CAC79A5E0A67E58B6F76D0AB76D
                                                                                                                                                                                                                                                                                                                                                                                SHA-256:A7136B17197EABA9BC3A92182F120F29A6A292B420233CD6627FA6D28F0E5353
                                                                                                                                                                                                                                                                                                                                                                                SHA-512:D0A4D391154F5BA98F06B9D44273224DAA492B1E772617C585D734BB786FD34549B9388C707A0BB8BDDEBCE3A24A86388F5142DBB88060D1CF864AA5F4C4819A
                                                                                                                                                                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                                                                                                                                                                Preview:{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-12-17T11:11:29.786Z","profileAgeCreated":1696496521804,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

                                                                                                                                                                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\targeting.snapshot.json.tmp

                                                                                                                                                                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                                                                                                                                                                Process:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                                                File Type:JSON data
                                                                                                                                                                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                                                                                                                                                                Size (bytes):4537
                                                                                                                                                                                                                                                                                                                                                                                Entropy (8bit):5.030868993888924
                                                                                                                                                                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                                                                                                                                                                SSDEEP:48:YrSAYUuwUQZpExB1+anO9WJVhAUVlhWFzzc87YMsku7f86SLAVL7y45FtsfAcbyk:ycUjTEr5taFzzcHvbw6KkSirc2Rn27
                                                                                                                                                                                                                                                                                                                                                                                MD5:423202E34BC4FEE2E12FD91175D0D0FD
                                                                                                                                                                                                                                                                                                                                                                                SHA1:33C0E6F972AF3CAC79A5E0A67E58B6F76D0AB76D
                                                                                                                                                                                                                                                                                                                                                                                SHA-256:A7136B17197EABA9BC3A92182F120F29A6A292B420233CD6627FA6D28F0E5353
                                                                                                                                                                                                                                                                                                                                                                                SHA-512:D0A4D391154F5BA98F06B9D44273224DAA492B1E772617C585D734BB786FD34549B9388C707A0BB8BDDEBCE3A24A86388F5142DBB88060D1CF864AA5F4C4819A
                                                                                                                                                                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                                                                                                                                                                Preview:{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-12-17T11:11:29.786Z","profileAgeCreated":1696496521804,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

                                                                                                                                                                                                                                                                                                                                                                                Static File Info

                                                                                                                                                                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                                                                                                                                                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                                                                                                                                Entropy (8bit):6.7011542054872315
                                                                                                                                                                                                                                                                                                                                                                                TrID:
                                                                                                                                                                                                                                                                                                                                                                                • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                                                                                                                                                                                                                                                                • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                                                                                                                                                                                                                                                • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                                                                                                                                                                                                                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                                                                                                                                                                                                                                File name:kjDPynh9vQ.exe
                                                                                                                                                                                                                                                                                                                                                                                File size:969'216 bytes
                                                                                                                                                                                                                                                                                                                                                                                MD5:a94e88b82d8b95386186b27736dff926
                                                                                                                                                                                                                                                                                                                                                                                SHA1:1c3e3a04d8d2f43867f4441ea230f5893cd14d76
                                                                                                                                                                                                                                                                                                                                                                                SHA256:a9d9260b88c2a2f7543c9d9d61366685b2595517fbeb64cc7129898213d56b8e
                                                                                                                                                                                                                                                                                                                                                                                SHA512:3b0883361d7f615e5389efad9d8b4bf512bc70120b6a38e9d23657f7405547fb13baa726d370d1a3adb30cd23e73b2342446f16c1bb9c497d63e861dd1169eb1
                                                                                                                                                                                                                                                                                                                                                                                SSDEEP:24576:oqDEvCTbMWu7rQYlBQcBiT6rprG8aeXUNdL:oTvC/MTQYxsWR7aeXUN
                                                                                                                                                                                                                                                                                                                                                                                TLSH:9A259E027391C062FFAB92334F5AF6515BBC69260123E61F13981DB9BE701B1563E7A3
                                                                                                                                                                                                                                                                                                                                                                                File Content Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

                                                                                                                                                                                                                                                                                                                                                                                File Icon

                                                                                                                                                                                                                                                                                                                                                                                Icon Hash:aaf3e3e3938382a0

                                                                                                                                                                                                                                                                                                                                                                                Static PE Info

                                                                                                                                                                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                                                                                                                                                                Entrypoint:0x420577
                                                                                                                                                                                                                                                                                                                                                                                Entrypoint Section:.text
                                                                                                                                                                                                                                                                                                                                                                                Digitally signed:false
                                                                                                                                                                                                                                                                                                                                                                                Imagebase:0x400000
                                                                                                                                                                                                                                                                                                                                                                                Subsystem:windows gui
                                                                                                                                                                                                                                                                                                                                                                                Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                                                                                                                                                                                                                                                                                                                                                DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                                                                                                                                                                                                                                                                                                                                                Time Stamp:0x67609525 [Mon Dec 16 21:01:25 2024 UTC]
                                                                                                                                                                                                                                                                                                                                                                                TLS Callbacks:
                                                                                                                                                                                                                                                                                                                                                                                CLR (.Net) Version:
                                                                                                                                                                                                                                                                                                                                                                                OS Version Major:5
                                                                                                                                                                                                                                                                                                                                                                                OS Version Minor:1
                                                                                                                                                                                                                                                                                                                                                                                File Version Major:5
                                                                                                                                                                                                                                                                                                                                                                                File Version Minor:1
                                                                                                                                                                                                                                                                                                                                                                                Subsystem Version Major:5
                                                                                                                                                                                                                                                                                                                                                                                Subsystem Version Minor:1
                                                                                                                                                                                                                                                                                                                                                                                Import Hash:948cc502fe9226992dce9417f952fce3

                                                                                                                                                                                                                                                                                                                                                                                Entrypoint Preview

                                                                                                                                                                                                                                                                                                                                                                                Instruction
                                                                                                                                                                                                                                                                                                                                                                                call 00007F24A8C49433h
                                                                                                                                                                                                                                                                                                                                                                                jmp 00007F24A8C48D3Fh
                                                                                                                                                                                                                                                                                                                                                                                push ebp
                                                                                                                                                                                                                                                                                                                                                                                mov ebp, esp
                                                                                                                                                                                                                                                                                                                                                                                push esi
                                                                                                                                                                                                                                                                                                                                                                                push dword ptr [ebp+08h]
                                                                                                                                                                                                                                                                                                                                                                                mov esi, ecx
                                                                                                                                                                                                                                                                                                                                                                                call 00007F24A8C48F1Dh
                                                                                                                                                                                                                                                                                                                                                                                mov dword ptr [esi], 0049FDF0h
                                                                                                                                                                                                                                                                                                                                                                                mov eax, esi
                                                                                                                                                                                                                                                                                                                                                                                pop esi
                                                                                                                                                                                                                                                                                                                                                                                pop ebp
                                                                                                                                                                                                                                                                                                                                                                                retn 0004h
                                                                                                                                                                                                                                                                                                                                                                                and dword ptr [ecx+04h], 00000000h
                                                                                                                                                                                                                                                                                                                                                                                mov eax, ecx
                                                                                                                                                                                                                                                                                                                                                                                and dword ptr [ecx+08h], 00000000h
                                                                                                                                                                                                                                                                                                                                                                                mov dword ptr [ecx+04h], 0049FDF8h
                                                                                                                                                                                                                                                                                                                                                                                mov dword ptr [ecx], 0049FDF0h
                                                                                                                                                                                                                                                                                                                                                                                ret
                                                                                                                                                                                                                                                                                                                                                                                push ebp
                                                                                                                                                                                                                                                                                                                                                                                mov ebp, esp
                                                                                                                                                                                                                                                                                                                                                                                push esi
                                                                                                                                                                                                                                                                                                                                                                                push dword ptr [ebp+08h]
                                                                                                                                                                                                                                                                                                                                                                                mov esi, ecx
                                                                                                                                                                                                                                                                                                                                                                                call 00007F24A8C48EEAh
                                                                                                                                                                                                                                                                                                                                                                                mov dword ptr [esi], 0049FE0Ch
                                                                                                                                                                                                                                                                                                                                                                                mov eax, esi
                                                                                                                                                                                                                                                                                                                                                                                pop esi
                                                                                                                                                                                                                                                                                                                                                                                pop ebp
                                                                                                                                                                                                                                                                                                                                                                                retn 0004h
                                                                                                                                                                                                                                                                                                                                                                                and dword ptr [ecx+04h], 00000000h
                                                                                                                                                                                                                                                                                                                                                                                mov eax, ecx
                                                                                                                                                                                                                                                                                                                                                                                and dword ptr [ecx+08h], 00000000h
                                                                                                                                                                                                                                                                                                                                                                                mov dword ptr [ecx+04h], 0049FE14h
                                                                                                                                                                                                                                                                                                                                                                                mov dword ptr [ecx], 0049FE0Ch
                                                                                                                                                                                                                                                                                                                                                                                ret
                                                                                                                                                                                                                                                                                                                                                                                push ebp
                                                                                                                                                                                                                                                                                                                                                                                mov ebp, esp
                                                                                                                                                                                                                                                                                                                                                                                push esi
                                                                                                                                                                                                                                                                                                                                                                                mov esi, ecx
                                                                                                                                                                                                                                                                                                                                                                                lea eax, dword ptr [esi+04h]
                                                                                                                                                                                                                                                                                                                                                                                mov dword ptr [esi], 0049FDD0h
                                                                                                                                                                                                                                                                                                                                                                                and dword ptr [eax], 00000000h
                                                                                                                                                                                                                                                                                                                                                                                and dword ptr [eax+04h], 00000000h
                                                                                                                                                                                                                                                                                                                                                                                push eax
                                                                                                                                                                                                                                                                                                                                                                                mov eax, dword ptr [ebp+08h]
                                                                                                                                                                                                                                                                                                                                                                                add eax, 04h
                                                                                                                                                                                                                                                                                                                                                                                push eax
                                                                                                                                                                                                                                                                                                                                                                                call 00007F24A8C4BADDh
                                                                                                                                                                                                                                                                                                                                                                                pop ecx
                                                                                                                                                                                                                                                                                                                                                                                pop ecx
                                                                                                                                                                                                                                                                                                                                                                                mov eax, esi
                                                                                                                                                                                                                                                                                                                                                                                pop esi
                                                                                                                                                                                                                                                                                                                                                                                pop ebp
                                                                                                                                                                                                                                                                                                                                                                                retn 0004h
                                                                                                                                                                                                                                                                                                                                                                                lea eax, dword ptr [ecx+04h]
                                                                                                                                                                                                                                                                                                                                                                                mov dword ptr [ecx], 0049FDD0h
                                                                                                                                                                                                                                                                                                                                                                                push eax
                                                                                                                                                                                                                                                                                                                                                                                call 00007F24A8C4BB28h
                                                                                                                                                                                                                                                                                                                                                                                pop ecx
                                                                                                                                                                                                                                                                                                                                                                                ret
                                                                                                                                                                                                                                                                                                                                                                                push ebp
                                                                                                                                                                                                                                                                                                                                                                                mov ebp, esp
                                                                                                                                                                                                                                                                                                                                                                                push esi
                                                                                                                                                                                                                                                                                                                                                                                mov esi, ecx
                                                                                                                                                                                                                                                                                                                                                                                lea eax, dword ptr [esi+04h]
                                                                                                                                                                                                                                                                                                                                                                                mov dword ptr [esi], 0049FDD0h
                                                                                                                                                                                                                                                                                                                                                                                push eax
                                                                                                                                                                                                                                                                                                                                                                                call 00007F24A8C4BB11h
                                                                                                                                                                                                                                                                                                                                                                                test byte ptr [ebp+08h], 00000001h
                                                                                                                                                                                                                                                                                                                                                                                pop ecx

                                                                                                                                                                                                                                                                                                                                                                                Rich Headers

                                                                                                                                                                                                                                                                                                                                                                                Programming Language:
                                                                                                                                                                                                                                                                                                                                                                                • [ C ] VS2008 SP1 build 30729
                                                                                                                                                                                                                                                                                                                                                                                • [IMP] VS2008 SP1 build 30729

                                                                                                                                                                                                                                                                                                                                                                                Data Directories

                                                                                                                                                                                                                                                                                                                                                                                NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0xc8e640x17c.rdata
                                                                                                                                                                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0xd40000x15ef0.rsrc
                                                                                                                                                                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0xea0000x7594.reloc
                                                                                                                                                                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0xb0ff00x1c.rdata
                                                                                                                                                                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_TLS0xc34000x18.rdata
                                                                                                                                                                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xb10100x40.rdata
                                                                                                                                                                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_IAT0x9c0000x894.rdata
                                                                                                                                                                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                                                                                                                                                                                                                Sections

                                                                                                                                                                                                                                                                                                                                                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                                                                                                                                                                                                                .text0x10000x9ab1d0x9ac000a1473f3064dcbc32ef93c5c8a90f3a6False0.565500681542811data6.668273581389308IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                                                                                                                                                                .rdata0x9c0000x2fb820x2fc00c9cf2468b60bf4f80f136ed54b3989fbFalse0.35289185209424084data5.691811547483722IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                                                                                                                                                                .data0xcc0000x706c0x480053b9025d545d65e23295e30afdbd16d9False0.04356553819444445DOS executable (block device driver @\273\)0.5846666986982398IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                                                                                                                                                                                .rsrc0xd40000x15ef00x160006efd1f55497552763484dcbee7a1cf66False0.6978426846590909data7.156673325025995IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                                                                                                                                                                .reloc0xea0000x75940x7600c68ee8931a32d45eb82dc450ee40efc3False0.7628111758474576data6.7972128181359786IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                                                                                                                                                                                                                                                Resources

                                                                                                                                                                                                                                                                                                                                                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                                                                                                                                                                                                                                RT_ICON0xd45f00x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                                                                                                                                                                                                                                                                                                                                                                RT_ICON0xd47180x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                                                                                                                                                                                                                                                                                                                                                                RT_ICON0xd48400x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                                                                                                                                                                                                                                                                                                                                                                RT_ICON0xd49680x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                                                                                                                                                                                                                                                                                                                                                                                RT_ICON0xd4c500x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                                                                                                                                                                                                                                                                                                                                                                                RT_ICON0xd4d780xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                                                                                                                                                                                                                                                                                                                                                                                RT_ICON0xd5c200x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                                                                                                                                                                                                                                                                                                                                                                                RT_ICON0xd64c80x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                                                                                                                                                                                                                                                                                                                                                                                RT_ICON0xd6a300x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                                                                                                                                                                                                                                                                                                                                                                                RT_ICON0xd8fd80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                                                                                                                                                                                                                                                                                                                                                                                RT_ICON0xda0800x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                                                                                                                                                                                                                                                                                                                                                                                RT_MENU0xda4e80x50dataEnglishGreat Britain0.9
                                                                                                                                                                                                                                                                                                                                                                                RT_DIALOG0xda5380xfcdataEnglishGreat Britain0.6507936507936508
                                                                                                                                                                                                                                                                                                                                                                                RT_STRING0xda6340x594dataEnglishGreat Britain0.3333333333333333
                                                                                                                                                                                                                                                                                                                                                                                RT_STRING0xdabc80x68adataEnglishGreat Britain0.2735961768219833
                                                                                                                                                                                                                                                                                                                                                                                RT_STRING0xdb2540x490dataEnglishGreat Britain0.3715753424657534
                                                                                                                                                                                                                                                                                                                                                                                RT_STRING0xdb6e40x5fcdataEnglishGreat Britain0.3087467362924282
                                                                                                                                                                                                                                                                                                                                                                                RT_STRING0xdbce00x65cdataEnglishGreat Britain0.34336609336609336
                                                                                                                                                                                                                                                                                                                                                                                RT_STRING0xdc33c0x466dataEnglishGreat Britain0.3605683836589698
                                                                                                                                                                                                                                                                                                                                                                                RT_STRING0xdc7a40x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                                                                                                                                                                                                                                                                                                                                                                                RT_RCDATA0xdc8fc0xd072data1.0004872381095162
                                                                                                                                                                                                                                                                                                                                                                                RT_GROUP_ICON0xe99700x76dataEnglishGreat Britain0.6610169491525424
                                                                                                                                                                                                                                                                                                                                                                                RT_GROUP_ICON0xe99e80x14dataEnglishGreat Britain1.25
                                                                                                                                                                                                                                                                                                                                                                                RT_GROUP_ICON0xe99fc0x14dataEnglishGreat Britain1.15
                                                                                                                                                                                                                                                                                                                                                                                RT_GROUP_ICON0xe9a100x14dataEnglishGreat Britain1.25
                                                                                                                                                                                                                                                                                                                                                                                RT_VERSION0xe9a240xdcdataEnglishGreat Britain0.6181818181818182
                                                                                                                                                                                                                                                                                                                                                                                RT_MANIFEST0xe9b000x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

                                                                                                                                                                                                                                                                                                                                                                                Imports

                                                                                                                                                                                                                                                                                                                                                                                DLLImport
                                                                                                                                                                                                                                                                                                                                                                                WSOCK32.dllgethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
                                                                                                                                                                                                                                                                                                                                                                                VERSION.dllGetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
                                                                                                                                                                                                                                                                                                                                                                                WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                                                                                                                                                                                                                                                                                                                                                                COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
                                                                                                                                                                                                                                                                                                                                                                                MPR.dllWNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
                                                                                                                                                                                                                                                                                                                                                                                WININET.dllHttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
                                                                                                                                                                                                                                                                                                                                                                                PSAPI.DLLGetProcessMemoryInfo
                                                                                                                                                                                                                                                                                                                                                                                IPHLPAPI.DLLIcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
                                                                                                                                                                                                                                                                                                                                                                                USERENV.dllDestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
                                                                                                                                                                                                                                                                                                                                                                                UxTheme.dllIsThemeActive
                                                                                                                                                                                                                                                                                                                                                                                KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
                                                                                                                                                                                                                                                                                                                                                                                USER32.dllGetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
                                                                                                                                                                                                                                                                                                                                                                                GDI32.dllEndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
                                                                                                                                                                                                                                                                                                                                                                                COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW
                                                                                                                                                                                                                                                                                                                                                                                ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
                                                                                                                                                                                                                                                                                                                                                                                SHELL32.dllDragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
                                                                                                                                                                                                                                                                                                                                                                                ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
                                                                                                                                                                                                                                                                                                                                                                                OLEAUT32.dllCreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

                                                                                                                                                                                                                                                                                                                                                                                Possible Origin

                                                                                                                                                                                                                                                                                                                                                                                Language of compilation systemCountry where language is spokenMap
                                                                                                                                                                                                                                                                                                                                                                                EnglishGreat Britain

                                                                                                                                                                                                                                                                                                                                                                                Network Behavior

                                                                                                                                                                                                                                                                                                                                                                                Network Port Distribution

                                                                                                                                                                                                                                                                                                                                                                                TCP Packets

                                                                                                                                                                                                                                                                                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:15.395550966 CET49737443192.168.2.935.190.72.216
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:15.395587921 CET4434973735.190.72.216192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:15.400693893 CET49737443192.168.2.935.190.72.216
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:15.405656099 CET49737443192.168.2.935.190.72.216
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:15.405679941 CET4434973735.190.72.216192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:15.410912037 CET4973980192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:15.503542900 CET49740443192.168.2.9142.250.201.46
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:15.503591061 CET44349740142.250.201.46192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:15.503953934 CET49741443192.168.2.9142.250.201.46
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:15.504018068 CET44349741142.250.201.46192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:15.509604931 CET49741443192.168.2.9142.250.201.46
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:15.509780884 CET49740443192.168.2.9142.250.201.46
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:15.515496016 CET49740443192.168.2.9142.250.201.46
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:15.515507936 CET44349740142.250.201.46192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:15.517468929 CET49741443192.168.2.9142.250.201.46
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:15.517514944 CET44349741142.250.201.46192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:15.530709028 CET804973934.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:15.531023979 CET4973980192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:15.531306028 CET4973980192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:15.651020050 CET804973934.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:15.878206968 CET49742443192.168.2.934.117.188.166
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:15.878268003 CET4434974234.117.188.166192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:15.880907059 CET49742443192.168.2.934.117.188.166
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:15.882447958 CET49742443192.168.2.934.117.188.166
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:15.882464886 CET4434974234.117.188.166192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:16.023164988 CET49743443192.168.2.935.244.181.201
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:16.023191929 CET4434974335.244.181.201192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:16.023852110 CET49743443192.168.2.935.244.181.201
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:16.024028063 CET49743443192.168.2.935.244.181.201
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:16.024041891 CET4434974335.244.181.201192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:16.060132027 CET49744443192.168.2.934.117.188.166
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:16.060168028 CET4434974434.117.188.166192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:16.060234070 CET49744443192.168.2.934.117.188.166
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:16.062124014 CET49744443192.168.2.934.117.188.166
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:16.062139988 CET4434974434.117.188.166192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:16.509027004 CET49749443192.168.2.934.160.144.191
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:16.509088039 CET4434974934.160.144.191192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:16.510406971 CET49749443192.168.2.934.160.144.191
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:16.510610104 CET49749443192.168.2.934.160.144.191
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:16.510637999 CET4434974934.160.144.191192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:16.615900040 CET804973934.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:16.623922110 CET4434973735.190.72.216192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:16.624135017 CET49737443192.168.2.935.190.72.216
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:16.635278940 CET49737443192.168.2.935.190.72.216
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:16.635287046 CET4434973735.190.72.216192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:16.635526896 CET4434973735.190.72.216192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:16.635582924 CET49737443192.168.2.935.190.72.216
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:16.635588884 CET4434973735.190.72.216192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:16.635955095 CET49737443192.168.2.935.190.72.216
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:16.752732992 CET4973980192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:16.830077887 CET4973980192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:16.921541929 CET44349740142.250.201.46192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:16.921561956 CET44349741142.250.201.46192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:16.922121048 CET49741443192.168.2.9142.250.201.46
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:16.922157049 CET49740443192.168.2.9142.250.201.46
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:16.922241926 CET44349740142.250.201.46192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:16.922255993 CET44349741142.250.201.46192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:16.923089027 CET49740443192.168.2.9142.250.201.46
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:16.923089981 CET49741443192.168.2.9142.250.201.46
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:16.928678989 CET49740443192.168.2.9142.250.201.46
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:16.928685904 CET44349740142.250.201.46192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:16.928931952 CET44349740142.250.201.46192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:16.929008961 CET49740443192.168.2.9142.250.201.46
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:16.929017067 CET44349740142.250.201.46192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:16.930073023 CET49740443192.168.2.9142.250.201.46
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:16.930259943 CET49741443192.168.2.9142.250.201.46
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:16.930267096 CET44349741142.250.201.46192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:16.930366039 CET49741443192.168.2.9142.250.201.46
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:16.930430889 CET44349741142.250.201.46192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:16.930506945 CET49741443192.168.2.9142.250.201.46
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:16.950417042 CET804973934.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:16.972059011 CET4975280192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:17.092061996 CET804975234.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:17.097537994 CET4975280192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:17.097820997 CET4975280192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:17.106708050 CET4434974234.117.188.166192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:17.107136011 CET49742443192.168.2.934.117.188.166
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:17.114463091 CET49742443192.168.2.934.117.188.166
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:17.114490032 CET4434974234.117.188.166192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:17.114600897 CET49742443192.168.2.934.117.188.166
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:17.114697933 CET4434974234.117.188.166192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:17.115044117 CET49753443192.168.2.934.117.188.166
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:17.115088940 CET4434975334.117.188.166192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:17.118493080 CET49742443192.168.2.934.117.188.166
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:17.118585110 CET49753443192.168.2.934.117.188.166
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:17.119992018 CET49753443192.168.2.934.117.188.166
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:17.120007038 CET4434975334.117.188.166192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:17.144669056 CET804973934.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:17.217565060 CET804975234.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:17.253786087 CET4434974335.244.181.201192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:17.254374981 CET49743443192.168.2.935.244.181.201
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:17.254425049 CET4973980192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:17.257292032 CET49743443192.168.2.935.244.181.201
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:17.257313013 CET4434974335.244.181.201192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:17.257632017 CET4434974335.244.181.201192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:17.259895086 CET49743443192.168.2.935.244.181.201
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:17.260015965 CET49743443192.168.2.935.244.181.201
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:17.260065079 CET4434974335.244.181.201192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:17.260193110 CET49743443192.168.2.935.244.181.201
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:17.285844088 CET4434974434.117.188.166192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:17.285934925 CET49744443192.168.2.934.117.188.166
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:17.292546034 CET49744443192.168.2.934.117.188.166
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:17.292563915 CET4434974434.117.188.166192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:17.292675972 CET49744443192.168.2.934.117.188.166
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:17.292759895 CET4434974434.117.188.166192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:17.292846918 CET49744443192.168.2.934.117.188.166
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:17.725784063 CET4434974934.160.144.191192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:17.733612061 CET49749443192.168.2.934.160.144.191
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:17.763536930 CET49749443192.168.2.934.160.144.191
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:17.763569117 CET4434974934.160.144.191192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:17.763957024 CET4434974934.160.144.191192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:17.767030954 CET49749443192.168.2.934.160.144.191
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:17.767124891 CET49749443192.168.2.934.160.144.191
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:17.767215014 CET4434974934.160.144.191192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:17.768722057 CET49749443192.168.2.934.160.144.191
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:17.768744946 CET49749443192.168.2.934.160.144.191
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:18.149328947 CET4975280192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:18.151587009 CET4973980192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:18.184344053 CET804975234.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:18.184406042 CET4975280192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:18.195451021 CET49755443192.168.2.934.117.188.166
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:18.195492029 CET4434975534.117.188.166192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:18.197062969 CET4975680192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:18.199547052 CET49755443192.168.2.934.117.188.166
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:18.201086998 CET49755443192.168.2.934.117.188.166
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:18.201098919 CET4434975534.117.188.166192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:18.269438982 CET804975234.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:18.270627022 CET4975280192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:18.271686077 CET804973934.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:18.271796942 CET4973980192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:18.316876888 CET804975634.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:18.317074060 CET4975680192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:18.317163944 CET4975680192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:18.338907003 CET4434975334.117.188.166192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:18.339077950 CET49753443192.168.2.934.117.188.166
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:18.343430042 CET49753443192.168.2.934.117.188.166
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:18.343439102 CET4434975334.117.188.166192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:18.343532085 CET49753443192.168.2.934.117.188.166
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:18.343615055 CET4434975334.117.188.166192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:18.343658924 CET49753443192.168.2.934.117.188.166
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:18.363712072 CET4976180192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:18.364294052 CET49762443192.168.2.934.107.243.93
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:18.364311934 CET4434976234.107.243.93192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:18.373770952 CET49762443192.168.2.934.107.243.93
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:18.375125885 CET49762443192.168.2.934.107.243.93
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:18.375140905 CET4434976234.107.243.93192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:18.437350035 CET804975634.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:18.483915091 CET804976134.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:18.489140987 CET4976180192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:18.489648104 CET4976180192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:18.609360933 CET804976134.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:19.347470045 CET49764443192.168.2.935.244.181.201
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:19.347568989 CET4434976435.244.181.201192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:19.348104000 CET49764443192.168.2.935.244.181.201
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:19.348335981 CET49764443192.168.2.935.244.181.201
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:19.348371983 CET4434976435.244.181.201192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:19.404140949 CET804975634.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:19.414227962 CET49765443192.168.2.934.149.100.209
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:19.414273977 CET4434976534.149.100.209192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:19.415004015 CET49765443192.168.2.934.149.100.209
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:19.416656971 CET49765443192.168.2.934.149.100.209
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:19.416675091 CET4434976534.149.100.209192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:19.426565886 CET4434975534.117.188.166192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:19.427397013 CET49755443192.168.2.934.117.188.166
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:19.431724072 CET49755443192.168.2.934.117.188.166
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:19.431735039 CET4434975534.117.188.166192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:19.431905985 CET49755443192.168.2.934.117.188.166
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:19.432079077 CET4434975534.117.188.166192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:19.432286978 CET49766443192.168.2.934.117.188.166
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:19.432368040 CET4434976634.117.188.166192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:19.433137894 CET49755443192.168.2.934.117.188.166
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:19.433191061 CET49766443192.168.2.934.117.188.166
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:19.434847116 CET49766443192.168.2.934.117.188.166
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:19.434881926 CET4434976634.117.188.166192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:19.441988945 CET49767443192.168.2.934.120.208.123
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:19.442029953 CET4434976734.120.208.123192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:19.442893982 CET49767443192.168.2.934.120.208.123
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:19.444230080 CET49767443192.168.2.934.120.208.123
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:19.444251060 CET4434976734.120.208.123192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:19.552515030 CET4975680192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:19.575567007 CET804976134.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:19.589730978 CET4434976234.107.243.93192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:19.589745045 CET4434976234.107.243.93192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:19.593148947 CET49762443192.168.2.934.107.243.93
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:19.598002911 CET49762443192.168.2.934.107.243.93
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:19.598002911 CET49762443192.168.2.934.107.243.93
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:19.598020077 CET4434976234.107.243.93192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:19.598171949 CET4434976234.107.243.93192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:19.599092960 CET49762443192.168.2.934.107.243.93
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:19.621516943 CET4975680192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:19.653623104 CET4976180192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:19.696001053 CET4976180192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:19.741208076 CET804975634.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:19.815735102 CET804976134.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:19.936393976 CET804975634.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:20.000300884 CET4975680192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:20.011398077 CET804976134.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:20.017059088 CET4975680192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:20.136768103 CET804975634.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:20.149420977 CET4976180192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:20.331856966 CET804975634.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:20.448344946 CET4975680192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:20.558809996 CET4434976435.244.181.201192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:20.558964968 CET49764443192.168.2.935.244.181.201
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:20.629316092 CET49764443192.168.2.935.244.181.201
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:20.629354000 CET4434976435.244.181.201192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:20.629668951 CET4434976435.244.181.201192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:20.644015074 CET4434976534.149.100.209192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:20.644169092 CET49765443192.168.2.934.149.100.209
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:20.653979063 CET4434976634.117.188.166192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:20.654055119 CET49766443192.168.2.934.117.188.166
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:20.658948898 CET4434976734.120.208.123192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:20.659018040 CET49767443192.168.2.934.120.208.123
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:20.664151907 CET49765443192.168.2.934.149.100.209
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:20.664151907 CET49765443192.168.2.934.149.100.209
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:20.664189100 CET4434976534.149.100.209192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:20.664262056 CET49764443192.168.2.935.244.181.201
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:20.664536953 CET4434976435.244.181.201192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:20.664597988 CET49764443192.168.2.935.244.181.201
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:20.664613008 CET4434976435.244.181.201192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:20.664761066 CET4434976534.149.100.209192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:20.665045977 CET49766443192.168.2.934.117.188.166
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:20.665061951 CET4434976634.117.188.166192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:20.665111065 CET49766443192.168.2.934.117.188.166
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:20.665194988 CET4434976634.117.188.166192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:20.666354895 CET49767443192.168.2.934.120.208.123
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:20.666382074 CET4434976734.120.208.123192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:20.666450977 CET49767443192.168.2.934.120.208.123
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:20.666512966 CET4434976734.120.208.123192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:20.666721106 CET49766443192.168.2.934.117.188.166
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:20.666722059 CET49765443192.168.2.934.149.100.209
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:20.666745901 CET49767443192.168.2.934.120.208.123
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:20.666748047 CET49764443192.168.2.935.244.181.201
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:21.418376923 CET4976180192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:21.425446033 CET49774443192.168.2.934.120.208.123
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:21.425493956 CET4434977434.120.208.123192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:21.425831079 CET49774443192.168.2.934.120.208.123
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:21.426410913 CET49774443192.168.2.934.120.208.123
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:21.426422119 CET4434977434.120.208.123192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:21.538250923 CET804976134.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:21.678411961 CET49775443192.168.2.934.120.208.123
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:21.678437948 CET4434977534.120.208.123192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:21.678654909 CET49776443192.168.2.934.120.208.123
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:21.678715944 CET4434977634.120.208.123192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:21.679996967 CET49775443192.168.2.934.120.208.123
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:21.680003881 CET49776443192.168.2.934.120.208.123
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:21.681797981 CET49775443192.168.2.934.120.208.123
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:21.681818962 CET4434977534.120.208.123192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:21.681989908 CET49776443192.168.2.934.120.208.123
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:21.682003021 CET4434977634.120.208.123192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:21.733330011 CET804976134.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:21.853018045 CET4976180192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:22.646209955 CET4434977434.120.208.123192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:22.651334047 CET4434977434.120.208.123192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:22.655472994 CET49774443192.168.2.934.120.208.123
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:22.658869028 CET49774443192.168.2.934.120.208.123
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:22.658880949 CET4434977434.120.208.123192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:22.659420013 CET4434977434.120.208.123192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:22.661346912 CET49774443192.168.2.934.120.208.123
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:22.661458015 CET49774443192.168.2.934.120.208.123
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:22.661689997 CET4434977434.120.208.123192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:22.667350054 CET4434977434.120.208.123192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:22.671042919 CET49774443192.168.2.934.120.208.123
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:22.671076059 CET49774443192.168.2.934.120.208.123
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:22.693187952 CET49774443192.168.2.934.120.208.123
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:22.893301010 CET4434977534.120.208.123192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:22.893893957 CET49775443192.168.2.934.120.208.123
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:22.903230906 CET4434977634.120.208.123192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:22.909435034 CET49776443192.168.2.934.120.208.123
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:22.966370106 CET49776443192.168.2.934.120.208.123
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:22.966397047 CET4434977634.120.208.123192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:22.967145920 CET4434977634.120.208.123192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:23.005815983 CET49775443192.168.2.934.120.208.123
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:23.005845070 CET4434977534.120.208.123192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:23.005924940 CET49775443192.168.2.934.120.208.123
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:23.006164074 CET4434977534.120.208.123192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:23.006289959 CET49776443192.168.2.934.120.208.123
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:23.006375074 CET49776443192.168.2.934.120.208.123
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:23.006546021 CET4434977634.120.208.123192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:23.008656025 CET49775443192.168.2.934.120.208.123
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:23.008678913 CET49776443192.168.2.934.120.208.123
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:27.146930933 CET4975680192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:27.149202108 CET4976180192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:27.158149958 CET49792443192.168.2.934.120.208.123
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:27.158195019 CET4434979234.120.208.123192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:27.158797026 CET49792443192.168.2.934.120.208.123
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:27.160835981 CET49792443192.168.2.934.120.208.123
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:27.160857916 CET4434979234.120.208.123192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:27.161258936 CET49793443192.168.2.934.107.243.93
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:27.161273956 CET4434979334.107.243.93192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:27.171463013 CET49793443192.168.2.934.107.243.93
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:27.173178911 CET49793443192.168.2.934.107.243.93
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:27.173187971 CET4434979334.107.243.93192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:27.266674995 CET804975634.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:27.268874884 CET804976134.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:27.461630106 CET804975634.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:27.464646101 CET804976134.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:27.514523029 CET4975680192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:27.514661074 CET4976180192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:28.371304035 CET4434979234.120.208.123192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:28.374633074 CET49792443192.168.2.934.120.208.123
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:28.376235962 CET49792443192.168.2.934.120.208.123
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:28.376247883 CET4434979234.120.208.123192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:28.376295090 CET49792443192.168.2.934.120.208.123
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:28.376426935 CET4434979234.120.208.123192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:28.376569033 CET49792443192.168.2.934.120.208.123
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:28.385528088 CET4434979334.107.243.93192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:28.385545969 CET4434979334.107.243.93192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:28.385601044 CET49793443192.168.2.934.107.243.93
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:28.389934063 CET49793443192.168.2.934.107.243.93
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:28.389945984 CET4434979334.107.243.93192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:28.390005112 CET49793443192.168.2.934.107.243.93
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:28.390089035 CET4434979334.107.243.93192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:28.390573025 CET49793443192.168.2.934.107.243.93
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:29.619379997 CET4975680192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:29.627201080 CET4976180192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:29.739170074 CET804975634.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:29.746893883 CET804976134.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:29.934993029 CET804975634.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:29.944639921 CET804976134.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:29.984061956 CET4975680192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:29.986175060 CET4976180192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:30.059253931 CET4975680192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:30.178941965 CET804975634.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:30.376044035 CET804975634.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:30.423043013 CET4975680192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:39.761583090 CET49820443192.168.2.934.107.243.93
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:39.761621952 CET4434982034.107.243.93192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:39.761843920 CET49820443192.168.2.934.107.243.93
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:39.763349056 CET49820443192.168.2.934.107.243.93
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:39.763386965 CET4434982034.107.243.93192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:39.956382990 CET4976180192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:40.077322960 CET804976134.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:40.388474941 CET4975680192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:40.508322954 CET804975634.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:40.981065989 CET4434982034.107.243.93192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:40.983655930 CET49820443192.168.2.934.107.243.93
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:40.988384962 CET49820443192.168.2.934.107.243.93
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:40.988398075 CET4434982034.107.243.93192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:40.988527060 CET49820443192.168.2.934.107.243.93
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:40.988641024 CET4434982034.107.243.93192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:40.989506960 CET49820443192.168.2.934.107.243.93
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:40.991647959 CET4976180192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:41.111449003 CET804976134.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:41.306468964 CET804976134.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:41.310751915 CET4975680192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:41.360189915 CET4976180192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:41.430617094 CET804975634.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:41.626009941 CET804975634.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:41.676625013 CET4975680192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:43.123307943 CET49831443192.168.2.934.149.100.209
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:43.123363972 CET4434983134.149.100.209192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:43.123555899 CET49832443192.168.2.935.190.72.216
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:43.123601913 CET4434983235.190.72.216192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:43.124439955 CET49831443192.168.2.934.149.100.209
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:43.124452114 CET49832443192.168.2.935.190.72.216
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:43.124619007 CET49831443192.168.2.934.149.100.209
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:43.124629021 CET4434983134.149.100.209192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:43.126089096 CET49832443192.168.2.935.190.72.216
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:43.126101017 CET4434983235.190.72.216192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:43.164249897 CET49833443192.168.2.935.244.181.201
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:43.164274931 CET4434983335.244.181.201192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:43.165378094 CET49833443192.168.2.935.244.181.201
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:43.165791035 CET49833443192.168.2.935.244.181.201
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:43.165806055 CET4434983335.244.181.201192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:43.338386059 CET49834443192.168.2.9151.101.193.91
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:43.338447094 CET44349834151.101.193.91192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:43.338841915 CET49834443192.168.2.9151.101.193.91
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:43.338995934 CET49834443192.168.2.9151.101.193.91
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:43.339008093 CET44349834151.101.193.91192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:43.441471100 CET49836443192.168.2.935.201.103.21
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:43.441523075 CET4434983635.201.103.21192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:43.441848040 CET49836443192.168.2.935.201.103.21
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:43.443352938 CET49836443192.168.2.935.201.103.21
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:43.443368912 CET4434983635.201.103.21192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:43.735038042 CET4976180192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:43.855077982 CET804976134.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:44.050093889 CET804976134.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:44.055052996 CET4975680192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:44.099240065 CET4976180192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:44.174843073 CET804975634.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:44.334985018 CET4434983134.149.100.209192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:44.335068941 CET49831443192.168.2.934.149.100.209
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:44.337049961 CET4434983235.190.72.216192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:44.338321924 CET49831443192.168.2.934.149.100.209
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:44.338335037 CET4434983134.149.100.209192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:44.338607073 CET4434983134.149.100.209192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:44.340828896 CET49831443192.168.2.934.149.100.209
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:44.340949059 CET49831443192.168.2.934.149.100.209
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:44.340993881 CET4434983134.149.100.209192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:44.341773033 CET49831443192.168.2.934.149.100.209
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:44.341793060 CET49831443192.168.2.934.149.100.209
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:44.342010021 CET49838443192.168.2.934.149.100.209
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:44.342014074 CET49832443192.168.2.935.190.72.216
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:44.342041969 CET4434983834.149.100.209192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:44.346158028 CET49832443192.168.2.935.190.72.216
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:44.346167088 CET4434983235.190.72.216192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:44.346178055 CET49832443192.168.2.935.190.72.216
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:44.346327066 CET4434983235.190.72.216192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:44.346750975 CET49832443192.168.2.935.190.72.216
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:44.347090006 CET49838443192.168.2.934.149.100.209
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:44.348059893 CET49838443192.168.2.934.149.100.209
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:44.348455906 CET4434983834.149.100.209192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:44.356880903 CET4976180192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:44.369913101 CET804975634.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:44.385286093 CET4434983335.244.181.201192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:44.385380983 CET49833443192.168.2.935.244.181.201
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:44.388294935 CET49833443192.168.2.935.244.181.201
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:44.388302088 CET4434983335.244.181.201192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:44.388562918 CET4434983335.244.181.201192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:44.390500069 CET49833443192.168.2.935.244.181.201
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:44.390585899 CET49833443192.168.2.935.244.181.201
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:44.390642881 CET4434983335.244.181.201192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:44.392299891 CET49833443192.168.2.935.244.181.201
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:44.415697098 CET4975680192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:44.476577997 CET804976134.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:44.552800894 CET44349834151.101.193.91192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:44.552921057 CET49834443192.168.2.9151.101.193.91
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:44.555906057 CET49834443192.168.2.9151.101.193.91
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:44.555915117 CET44349834151.101.193.91192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:44.556171894 CET44349834151.101.193.91192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:44.558167934 CET49834443192.168.2.9151.101.193.91
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:44.558286905 CET49834443192.168.2.9151.101.193.91
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:44.558311939 CET44349834151.101.193.91192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:44.558490992 CET49834443192.168.2.9151.101.193.91
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:44.567445993 CET49841443192.168.2.935.244.181.201
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:44.567487955 CET4434984135.244.181.201192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:44.567612886 CET49841443192.168.2.935.244.181.201
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:44.567775965 CET49841443192.168.2.935.244.181.201
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:44.567785978 CET4434984135.244.181.201192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:44.570344925 CET49842443192.168.2.935.244.181.201
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:44.570384979 CET4434984235.244.181.201192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:44.570844889 CET49842443192.168.2.935.244.181.201
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:44.571013927 CET49842443192.168.2.935.244.181.201
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:44.571024895 CET4434984235.244.181.201192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:44.572108030 CET49843443192.168.2.935.244.181.201
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:44.572118044 CET4434984335.244.181.201192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:44.572180033 CET49843443192.168.2.935.244.181.201
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:44.572283983 CET49843443192.168.2.935.244.181.201
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:44.572293043 CET4434984335.244.181.201192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:44.666352034 CET4434983635.201.103.21192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:44.666440964 CET49836443192.168.2.935.201.103.21
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:44.671442986 CET49836443192.168.2.935.201.103.21
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:44.671462059 CET4434983635.201.103.21192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:44.671550035 CET49836443192.168.2.935.201.103.21
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:44.671613932 CET804976134.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:44.671904087 CET4434983635.201.103.21192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:44.672966957 CET49836443192.168.2.935.201.103.21
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:44.676948071 CET4975680192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:44.689184904 CET49844443192.168.2.934.149.100.209
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:44.689234018 CET4434984434.149.100.209192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:44.689943075 CET49844443192.168.2.934.149.100.209
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:44.690368891 CET49844443192.168.2.934.149.100.209
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:44.690382004 CET4434984434.149.100.209192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:44.718663931 CET4976180192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:44.796638012 CET804975634.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:44.991638899 CET804975634.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:45.033092976 CET4975680192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:45.558197975 CET4434983834.149.100.209192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:45.558669090 CET49838443192.168.2.934.149.100.209
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:45.562279940 CET49838443192.168.2.934.149.100.209
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:45.562288046 CET4434983834.149.100.209192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:45.562629938 CET4434983834.149.100.209192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:45.565313101 CET49838443192.168.2.934.149.100.209
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:45.565313101 CET49838443192.168.2.934.149.100.209
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:45.565512896 CET4434983834.149.100.209192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:45.567282915 CET49838443192.168.2.934.149.100.209
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:45.569354057 CET4976180192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:45.689069033 CET804976134.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:45.780795097 CET4434984235.244.181.201192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:45.780911922 CET49842443192.168.2.935.244.181.201
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:45.783287048 CET4434984135.244.181.201192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:45.783365011 CET49841443192.168.2.935.244.181.201
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:45.783847094 CET49842443192.168.2.935.244.181.201
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:45.783857107 CET4434984235.244.181.201192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:45.783988953 CET4434984335.244.181.201192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:45.784100056 CET4434984235.244.181.201192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:45.784380913 CET49843443192.168.2.935.244.181.201
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:45.786365986 CET49841443192.168.2.935.244.181.201
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:45.786375999 CET4434984135.244.181.201192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:45.786784887 CET4434984135.244.181.201192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:45.789011955 CET49843443192.168.2.935.244.181.201
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:45.789016008 CET4434984335.244.181.201192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:45.789519072 CET4434984335.244.181.201192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:45.791557074 CET49842443192.168.2.935.244.181.201
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:45.791671991 CET49842443192.168.2.935.244.181.201
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:45.791698933 CET4434984235.244.181.201192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:45.792913914 CET49841443192.168.2.935.244.181.201
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:45.792992115 CET49841443192.168.2.935.244.181.201
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:45.793164015 CET4434984135.244.181.201192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:45.793282032 CET49843443192.168.2.935.244.181.201
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:45.793344975 CET49843443192.168.2.935.244.181.201
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:45.793493986 CET4434984335.244.181.201192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:45.793833971 CET49843443192.168.2.935.244.181.201
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:45.793855906 CET49842443192.168.2.935.244.181.201
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:45.793865919 CET49841443192.168.2.935.244.181.201
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:45.793879986 CET49843443192.168.2.935.244.181.201
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:45.884085894 CET804976134.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:45.887398958 CET4975680192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:45.905605078 CET4434984434.149.100.209192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:45.906177998 CET49844443192.168.2.934.149.100.209
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:45.909579992 CET49844443192.168.2.934.149.100.209
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:45.909605980 CET4434984434.149.100.209192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:45.909946918 CET4434984434.149.100.209192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:45.912570000 CET49844443192.168.2.934.149.100.209
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:45.912677050 CET49844443192.168.2.934.149.100.209
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:45.912760019 CET4434984434.149.100.209192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:45.913861990 CET49844443192.168.2.934.149.100.209
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:45.916064978 CET4976180192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:46.007214069 CET804975634.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:46.035875082 CET804976134.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:46.202697992 CET804975634.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:46.230684042 CET804976134.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:46.233854055 CET4975680192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:46.274441957 CET4976180192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:46.353676081 CET804975634.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:46.549034119 CET804975634.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:46.590894938 CET4975680192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:56.235943079 CET4976180192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:56.355684042 CET804976134.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:56.552139997 CET4975680192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:56.672034025 CET804975634.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:21:01.136910915 CET49883443192.168.2.934.107.243.93
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:21:01.136967897 CET4434988334.107.243.93192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:21:01.137382030 CET49883443192.168.2.934.107.243.93
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:21:01.138907909 CET49883443192.168.2.934.107.243.93
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:21:01.138921976 CET4434988334.107.243.93192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:21:02.357856989 CET4434988334.107.243.93192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:21:02.358037949 CET49883443192.168.2.934.107.243.93
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:21:02.363256931 CET49883443192.168.2.934.107.243.93
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:21:02.363267899 CET4434988334.107.243.93192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:21:02.363358974 CET49883443192.168.2.934.107.243.93
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:21:02.363430977 CET4434988334.107.243.93192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:21:02.364234924 CET49883443192.168.2.934.107.243.93
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:21:02.366307974 CET4976180192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:21:02.486139059 CET804976134.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:21:02.681204081 CET804976134.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:21:02.685369968 CET4975680192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:21:02.731558084 CET4976180192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:21:02.805288076 CET804975634.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:21:03.000430107 CET804975634.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:21:03.054594040 CET4975680192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:21:12.687186956 CET4976180192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:21:12.806929111 CET804976134.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:21:13.003644943 CET4975680192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:21:13.123414040 CET804975634.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:21:13.274655104 CET49913443192.168.2.934.120.208.123
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:21:13.274688005 CET4434991334.120.208.123192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:21:13.275010109 CET49913443192.168.2.934.120.208.123
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:21:13.275094986 CET49913443192.168.2.934.120.208.123
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:21:13.275100946 CET4434991334.120.208.123192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:21:13.293708086 CET49914443192.168.2.934.120.208.123
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:21:13.293750048 CET4434991434.120.208.123192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:21:13.294846058 CET49914443192.168.2.934.120.208.123
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:21:13.294846058 CET49914443192.168.2.934.120.208.123
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:21:13.294883013 CET4434991434.120.208.123192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:21:14.486718893 CET4434991334.120.208.123192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:21:14.486874104 CET49913443192.168.2.934.120.208.123
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:21:14.490298033 CET49913443192.168.2.934.120.208.123
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:21:14.490304947 CET4434991334.120.208.123192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:21:14.490561008 CET4434991334.120.208.123192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:21:14.493300915 CET49913443192.168.2.934.120.208.123
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:21:14.493412018 CET49913443192.168.2.934.120.208.123
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:21:14.493464947 CET4434991334.120.208.123192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:21:14.493599892 CET49913443192.168.2.934.120.208.123
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:21:14.497680902 CET4976180192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:21:14.505781889 CET4434991434.120.208.123192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:21:14.505918026 CET49914443192.168.2.934.120.208.123
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:21:14.509085894 CET49914443192.168.2.934.120.208.123
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:21:14.509098053 CET4434991434.120.208.123192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:21:14.509342909 CET4434991434.120.208.123192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:21:14.511451006 CET49914443192.168.2.934.120.208.123
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:21:14.511595964 CET49914443192.168.2.934.120.208.123
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:21:14.511606932 CET4434991434.120.208.123192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:21:14.512482882 CET49914443192.168.2.934.120.208.123
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:21:14.512484074 CET49914443192.168.2.934.120.208.123
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:21:14.617624998 CET804976134.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:21:14.812654018 CET804976134.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:21:14.816406965 CET4975680192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:21:14.855855942 CET4976180192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:21:14.936250925 CET804975634.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:21:15.131270885 CET804975634.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:21:15.178776979 CET4975680192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:21:24.823015928 CET4976180192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:21:24.945152044 CET804976134.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:21:25.139421940 CET4975680192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:21:25.259264946 CET804975634.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:21:34.953141928 CET4976180192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:21:35.074135065 CET804976134.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:21:35.269602060 CET4975680192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:21:35.389453888 CET804975634.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:21:42.733215094 CET49982443192.168.2.934.107.243.93
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:21:42.733261108 CET4434998234.107.243.93192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:21:42.733984947 CET49982443192.168.2.934.107.243.93
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:21:42.735491991 CET49982443192.168.2.934.107.243.93
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:21:42.735510111 CET4434998234.107.243.93192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:21:43.972620964 CET4434998234.107.243.93192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:21:43.972799063 CET49982443192.168.2.934.107.243.93
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:21:43.978281021 CET49982443192.168.2.934.107.243.93
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:21:43.978296995 CET4434998234.107.243.93192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:21:43.978468895 CET4434998234.107.243.93192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:21:43.982019901 CET49982443192.168.2.934.107.243.93
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:21:43.982029915 CET4434998234.107.243.93192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:21:43.982777119 CET49982443192.168.2.934.107.243.93
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:21:43.985876083 CET4976180192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:21:44.105608940 CET804976134.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:21:44.300575018 CET804976134.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:21:44.305380106 CET4975680192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:21:44.357466936 CET4976180192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:21:44.425105095 CET804975634.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:21:44.620090961 CET804975634.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:21:44.673696995 CET4975680192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:21:54.302463055 CET4976180192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:21:54.422307014 CET804976134.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:21:54.625454903 CET4975680192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:21:54.745086908 CET804975634.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:22:04.431129932 CET4976180192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:22:04.550971031 CET804976134.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:22:04.754215956 CET4975680192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:22:04.873893023 CET804975634.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:22:14.558501959 CET4976180192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:22:14.678914070 CET804976134.107.221.82192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:22:14.875072002 CET4975680192.168.2.934.107.221.82
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:22:14.996989012 CET804975634.107.221.82192.168.2.9

                                                                                                                                                                                                                                                                                                                                                                                UDP Packets

                                                                                                                                                                                                                                                                                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:15.271442890 CET6542853192.168.2.91.1.1.1
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:15.271634102 CET5850153192.168.2.91.1.1.1
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:15.395304918 CET5822153192.168.2.91.1.1.1
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:15.411366940 CET5171553192.168.2.91.1.1.1
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:15.501312017 CET53585011.1.1.1192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:15.505223036 CET6143653192.168.2.91.1.1.1
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:15.535711050 CET53582211.1.1.1192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:15.536766052 CET5780853192.168.2.91.1.1.1
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:15.552721977 CET53517151.1.1.1192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:15.553491116 CET6020653192.168.2.91.1.1.1
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:15.574462891 CET5645253192.168.2.91.1.1.1
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:15.642046928 CET53614361.1.1.1192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:15.642899990 CET5447953192.168.2.91.1.1.1
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:15.690591097 CET53602061.1.1.1192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:15.770343065 CET53578081.1.1.1192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:15.807652950 CET53564521.1.1.1192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:15.873996019 CET53544791.1.1.1192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:15.878861904 CET6373853192.168.2.91.1.1.1
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:15.921765089 CET5395353192.168.2.91.1.1.1
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:16.016686916 CET53637381.1.1.1192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:16.020179987 CET6014453192.168.2.91.1.1.1
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:16.023746014 CET6024253192.168.2.91.1.1.1
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:16.059115887 CET53539531.1.1.1192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:16.060398102 CET5578953192.168.2.91.1.1.1
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:16.161700964 CET53602421.1.1.1192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:16.162516117 CET5220653192.168.2.91.1.1.1
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:16.197993994 CET53557891.1.1.1192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:16.198798895 CET5714553192.168.2.91.1.1.1
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:16.251179934 CET53601441.1.1.1192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:16.300896883 CET53522061.1.1.1192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:16.336328983 CET53571451.1.1.1192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:16.366375923 CET6120953192.168.2.91.1.1.1
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:16.504606962 CET53612091.1.1.1192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:16.510198116 CET5173753192.168.2.91.1.1.1
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:16.743061066 CET6183153192.168.2.91.1.1.1
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:16.743307114 CET5776353192.168.2.91.1.1.1
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:16.748013973 CET53517371.1.1.1192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:16.749155998 CET5536253192.168.2.91.1.1.1
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:16.826427937 CET6297653192.168.2.91.1.1.1
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:16.829564095 CET5050453192.168.2.91.1.1.1
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:16.887623072 CET53553621.1.1.1192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:16.963505030 CET53629761.1.1.1192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:16.976780891 CET53577631.1.1.1192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:17.030641079 CET4975553192.168.2.91.1.1.1
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:17.261923075 CET53497551.1.1.1192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:17.278147936 CET6486553192.168.2.91.1.1.1
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:17.400361061 CET53495051.1.1.1192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:17.508956909 CET53648651.1.1.1192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:17.520987988 CET5450953192.168.2.91.1.1.1
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:17.658094883 CET53545091.1.1.1192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:19.227812052 CET4934953192.168.2.91.1.1.1
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:19.367378950 CET53493491.1.1.1192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:19.414892912 CET6248353192.168.2.91.1.1.1
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:19.442698002 CET6094953192.168.2.91.1.1.1
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:19.551592112 CET53624831.1.1.1192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:19.579821110 CET53609491.1.1.1192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:19.617188931 CET6463553192.168.2.91.1.1.1
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:19.623755932 CET6513053192.168.2.91.1.1.1
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:19.755219936 CET53646351.1.1.1192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:19.761744976 CET53651301.1.1.1192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:21.312738895 CET5806653192.168.2.91.1.1.1
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:21.450716019 CET53580661.1.1.1192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:21.451503038 CET6098253192.168.2.91.1.1.1
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:21.589813948 CET53609821.1.1.1192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:21.678277969 CET6428753192.168.2.91.1.1.1
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:21.825532913 CET53642871.1.1.1192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:25.925513029 CET5652553192.168.2.91.1.1.1
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:25.925585032 CET5127553192.168.2.91.1.1.1
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:25.926110029 CET6225153192.168.2.91.1.1.1
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:26.062572002 CET53512751.1.1.1192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:26.062844992 CET53565251.1.1.1192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:26.063668966 CET4928353192.168.2.91.1.1.1
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:26.063719034 CET5813353192.168.2.91.1.1.1
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:26.064038038 CET53622511.1.1.1192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:26.064709902 CET6364253192.168.2.91.1.1.1
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:26.200834036 CET53581331.1.1.1192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:26.202296019 CET53636421.1.1.1192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:26.202747107 CET6497453192.168.2.91.1.1.1
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:26.203197956 CET5258653192.168.2.91.1.1.1
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:26.291338921 CET53492831.1.1.1192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:26.292217970 CET6350553192.168.2.91.1.1.1
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:26.339937925 CET53649741.1.1.1192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:26.437849045 CET53525861.1.1.1192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:26.530109882 CET53635051.1.1.1192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:27.090945005 CET5260553192.168.2.91.1.1.1
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:27.090945005 CET4977453192.168.2.91.1.1.1
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:27.158282995 CET6144353192.168.2.91.1.1.1
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:27.228311062 CET53526051.1.1.1192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:27.229299068 CET4995153192.168.2.91.1.1.1
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:27.229396105 CET53497741.1.1.1192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:27.230053902 CET6552453192.168.2.91.1.1.1
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:27.295510054 CET53614431.1.1.1192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:27.297069073 CET5098653192.168.2.91.1.1.1
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:27.367191076 CET53499511.1.1.1192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:27.368129015 CET5706353192.168.2.91.1.1.1
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:27.434433937 CET53509861.1.1.1192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:27.458199978 CET53655241.1.1.1192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:27.458975077 CET5113753192.168.2.91.1.1.1
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:27.505954027 CET53570631.1.1.1192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:27.596226931 CET53511371.1.1.1192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:39.761986017 CET5120653192.168.2.91.1.1.1
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:39.991949081 CET53512061.1.1.1192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:43.099355936 CET5346753192.168.2.91.1.1.1
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:43.124258995 CET5905253192.168.2.91.1.1.1
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:43.160573959 CET6415153192.168.2.91.1.1.1
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:43.298692942 CET53641511.1.1.1192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:43.299701929 CET6351353192.168.2.91.1.1.1
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:43.337223053 CET53534671.1.1.1192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:43.338784933 CET6060453192.168.2.91.1.1.1
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:43.440368891 CET53590521.1.1.1192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:43.441721916 CET5742253192.168.2.91.1.1.1
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:43.534141064 CET53635131.1.1.1192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:43.569382906 CET53606041.1.1.1192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:43.570166111 CET5487753192.168.2.91.1.1.1
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:43.671108007 CET53574221.1.1.1192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:43.672358990 CET6390553192.168.2.91.1.1.1
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:43.707941055 CET53548771.1.1.1192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:43.902616024 CET53639051.1.1.1192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:21:00.998533964 CET4977753192.168.2.91.1.1.1
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:21:01.135729074 CET53497771.1.1.1192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:21:01.137352943 CET6392553192.168.2.91.1.1.1
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:21:01.274594069 CET53639251.1.1.1192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:21:02.366688967 CET5616953192.168.2.91.1.1.1
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:21:13.504482031 CET6540753192.168.2.91.1.1.1
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:21:13.642111063 CET53654071.1.1.1192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:21:42.594449997 CET5696753192.168.2.91.1.1.1
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:21:42.731777906 CET53569671.1.1.1192.168.2.9
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:21:42.733866930 CET5673953192.168.2.91.1.1.1
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:21:42.871522903 CET53567391.1.1.1192.168.2.9

                                                                                                                                                                                                                                                                                                                                                                                DNS Queries

                                                                                                                                                                                                                                                                                                                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:15.271442890 CET192.168.2.91.1.1.10xd4cdStandard query (0)detectportal.firefox.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:15.271634102 CET192.168.2.91.1.1.10xa861Standard query (0)youtube.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:15.395304918 CET192.168.2.91.1.1.10x5319Standard query (0)prod.classify-client.prod.webservices.mozgcp.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:15.411366940 CET192.168.2.91.1.1.10x568aStandard query (0)prod.detectportal.prod.cloudops.mozgcp.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:15.505223036 CET192.168.2.91.1.1.10xf442Standard query (0)youtube.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:15.536766052 CET192.168.2.91.1.1.10x1baaStandard query (0)prod.classify-client.prod.webservices.mozgcp.net28IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:15.553491116 CET192.168.2.91.1.1.10x99f0Standard query (0)prod.detectportal.prod.cloudops.mozgcp.net28IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:15.574462891 CET192.168.2.91.1.1.10xa2f2Standard query (0)contile.services.mozilla.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:15.642899990 CET192.168.2.91.1.1.10x2992Standard query (0)youtube.com28IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:15.878861904 CET192.168.2.91.1.1.10x5c63Standard query (0)contile.services.mozilla.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:15.921765089 CET192.168.2.91.1.1.10x11dfStandard query (0)spocs.getpocket.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:16.020179987 CET192.168.2.91.1.1.10x1187Standard query (0)contile.services.mozilla.com28IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:16.023746014 CET192.168.2.91.1.1.10x9ad7Standard query (0)prod.balrog.prod.cloudops.mozgcp.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:16.060398102 CET192.168.2.91.1.1.10xe3bbStandard query (0)prod.ads.prod.webservices.mozgcp.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:16.162516117 CET192.168.2.91.1.1.10xff12Standard query (0)prod.balrog.prod.cloudops.mozgcp.net28IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:16.198798895 CET192.168.2.91.1.1.10xde42Standard query (0)prod.ads.prod.webservices.mozgcp.net28IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:16.366375923 CET192.168.2.91.1.1.10x155bStandard query (0)content-signature-2.cdn.mozilla.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:16.510198116 CET192.168.2.91.1.1.10x2a66Standard query (0)prod.content-signature-chains.prod.webservices.mozgcp.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:16.743061066 CET192.168.2.91.1.1.10xf3a7Standard query (0)shavar.services.mozilla.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:16.743307114 CET192.168.2.91.1.1.10xe79aStandard query (0)example.orgA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:16.749155998 CET192.168.2.91.1.1.10x28caStandard query (0)prod.content-signature-chains.prod.webservices.mozgcp.net28IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:16.826427937 CET192.168.2.91.1.1.10x16bcStandard query (0)ipv4only.arpaA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:16.829564095 CET192.168.2.91.1.1.10x9080Standard query (0)detectportal.firefox.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:17.030641079 CET192.168.2.91.1.1.10xda0bStandard query (0)push.services.mozilla.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:17.278147936 CET192.168.2.91.1.1.10x917bStandard query (0)push.services.mozilla.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:17.520987988 CET192.168.2.91.1.1.10xa13cStandard query (0)push.services.mozilla.com28IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:19.227812052 CET192.168.2.91.1.1.10xbe8dStandard query (0)firefox.settings.services.mozilla.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:19.414892912 CET192.168.2.91.1.1.10x7acbStandard query (0)prod.remote-settings.prod.webservices.mozgcp.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:19.442698002 CET192.168.2.91.1.1.10x63dcStandard query (0)telemetry-incoming.r53-2.services.mozilla.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:19.617188931 CET192.168.2.91.1.1.10x5d4cStandard query (0)prod.remote-settings.prod.webservices.mozgcp.net28IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:19.623755932 CET192.168.2.91.1.1.10xc43cStandard query (0)telemetry-incoming.r53-2.services.mozilla.com28IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:21.312738895 CET192.168.2.91.1.1.10xec22Standard query (0)support.mozilla.orgA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:21.451503038 CET192.168.2.91.1.1.10xaf4cStandard query (0)us-west1.prod.sumo.prod.webservices.mozgcp.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:21.678277969 CET192.168.2.91.1.1.10xaf87Standard query (0)us-west1.prod.sumo.prod.webservices.mozgcp.net28IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:25.925513029 CET192.168.2.91.1.1.10xb4a8Standard query (0)www.facebook.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:25.925585032 CET192.168.2.91.1.1.10x88f1Standard query (0)www.youtube.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:25.926110029 CET192.168.2.91.1.1.10x716cStandard query (0)www.wikipedia.orgA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:26.063668966 CET192.168.2.91.1.1.10xae30Standard query (0)youtube-ui.l.google.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:26.063719034 CET192.168.2.91.1.1.10xb9ceStandard query (0)star-mini.c10r.facebook.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:26.064709902 CET192.168.2.91.1.1.10x792fStandard query (0)dyna.wikimedia.orgA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:26.202747107 CET192.168.2.91.1.1.10xe28bStandard query (0)star-mini.c10r.facebook.com28IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:26.203197956 CET192.168.2.91.1.1.10x28ffStandard query (0)dyna.wikimedia.org28IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:26.292217970 CET192.168.2.91.1.1.10x4a3cStandard query (0)youtube-ui.l.google.com28IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:27.090945005 CET192.168.2.91.1.1.10xfb78Standard query (0)www.reddit.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:27.090945005 CET192.168.2.91.1.1.10xd707Standard query (0)twitter.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:27.158282995 CET192.168.2.91.1.1.10x54b0Standard query (0)telemetry-incoming.r53-2.services.mozilla.com28IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:27.229299068 CET192.168.2.91.1.1.10x694cStandard query (0)reddit.map.fastly.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:27.230053902 CET192.168.2.91.1.1.10xd1d6Standard query (0)twitter.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:27.297069073 CET192.168.2.91.1.1.10xeda1Standard query (0)push.services.mozilla.com28IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:27.368129015 CET192.168.2.91.1.1.10x710fStandard query (0)reddit.map.fastly.net28IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:27.458975077 CET192.168.2.91.1.1.10x2c03Standard query (0)twitter.com28IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:39.761986017 CET192.168.2.91.1.1.10x3e34Standard query (0)push.services.mozilla.com28IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:43.099355936 CET192.168.2.91.1.1.10x5149Standard query (0)services.addons.mozilla.orgA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:43.124258995 CET192.168.2.91.1.1.10xd117Standard query (0)normandy.cdn.mozilla.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:43.160573959 CET192.168.2.91.1.1.10xeab6Standard query (0)prod.balrog.prod.cloudops.mozgcp.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:43.299701929 CET192.168.2.91.1.1.10x8620Standard query (0)prod.balrog.prod.cloudops.mozgcp.net28IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:43.338784933 CET192.168.2.91.1.1.10xc675Standard query (0)services.addons.mozilla.orgA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:43.441721916 CET192.168.2.91.1.1.10x17e9Standard query (0)normandy-cdn.services.mozilla.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:43.570166111 CET192.168.2.91.1.1.10x8b08Standard query (0)services.addons.mozilla.org28IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:43.672358990 CET192.168.2.91.1.1.10x3edbStandard query (0)normandy-cdn.services.mozilla.com28IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:21:00.998533964 CET192.168.2.91.1.1.10x4185Standard query (0)push.services.mozilla.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:21:01.137352943 CET192.168.2.91.1.1.10xfb93Standard query (0)push.services.mozilla.com28IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:21:02.366688967 CET192.168.2.91.1.1.10x9ed5Standard query (0)detectportal.firefox.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:21:13.504482031 CET192.168.2.91.1.1.10x6068Standard query (0)telemetry-incoming.r53-2.services.mozilla.com28IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:21:42.594449997 CET192.168.2.91.1.1.10x7e5bStandard query (0)push.services.mozilla.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:21:42.733866930 CET192.168.2.91.1.1.10x2b7dStandard query (0)push.services.mozilla.com28IN (0x0001)false

                                                                                                                                                                                                                                                                                                                                                                                DNS Answers

                                                                                                                                                                                                                                                                                                                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:02.076514959 CET1.1.1.1192.168.2.90x6243No error (0)shed.dual-low.s-part-0035.t-0009.t-msedge.nets-part-0035.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:02.076514959 CET1.1.1.1192.168.2.90x6243No error (0)s-part-0035.t-0009.t-msedge.net13.107.246.63A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:15.391918898 CET1.1.1.1192.168.2.90x4837No error (0)prod.classify-client.prod.webservices.mozgcp.net35.190.72.216A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:15.410003901 CET1.1.1.1192.168.2.90xd4cdNo error (0)detectportal.firefox.comdetectportal.prod.mozaws.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:15.410003901 CET1.1.1.1192.168.2.90xd4cdNo error (0)prod.detectportal.prod.cloudops.mozgcp.net34.107.221.82A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:15.501312017 CET1.1.1.1192.168.2.90xa861No error (0)youtube.com142.250.201.46A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:15.535711050 CET1.1.1.1192.168.2.90x5319No error (0)prod.classify-client.prod.webservices.mozgcp.net35.190.72.216A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:15.552721977 CET1.1.1.1192.168.2.90x568aNo error (0)prod.detectportal.prod.cloudops.mozgcp.net34.107.221.82A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:15.642046928 CET1.1.1.1192.168.2.90xf442No error (0)youtube.com142.250.181.78A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:15.690591097 CET1.1.1.1192.168.2.90x99f0No error (0)prod.detectportal.prod.cloudops.mozgcp.net28IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:15.807652950 CET1.1.1.1192.168.2.90xa2f2No error (0)contile.services.mozilla.com34.117.188.166A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:15.873996019 CET1.1.1.1192.168.2.90x2992No error (0)youtube.com28IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:16.016686916 CET1.1.1.1192.168.2.90x5c63No error (0)contile.services.mozilla.com34.117.188.166A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:16.021610975 CET1.1.1.1192.168.2.90xad82No error (0)balrog-aus5.r53-2.services.mozilla.comprod.balrog.prod.cloudops.mozgcp.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:16.021610975 CET1.1.1.1192.168.2.90xad82No error (0)prod.balrog.prod.cloudops.mozgcp.net35.244.181.201A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:16.059115887 CET1.1.1.1192.168.2.90x11dfNo error (0)spocs.getpocket.comprod.ads.prod.webservices.mozgcp.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:16.059115887 CET1.1.1.1192.168.2.90x11dfNo error (0)prod.ads.prod.webservices.mozgcp.net34.117.188.166A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:16.161700964 CET1.1.1.1192.168.2.90x9ad7No error (0)prod.balrog.prod.cloudops.mozgcp.net35.244.181.201A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:16.197993994 CET1.1.1.1192.168.2.90xe3bbNo error (0)prod.ads.prod.webservices.mozgcp.net34.117.188.166A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:16.504606962 CET1.1.1.1192.168.2.90x155bNo error (0)content-signature-2.cdn.mozilla.netcontent-signature-chains.prod.autograph.services.mozaws.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:16.504606962 CET1.1.1.1192.168.2.90x155bNo error (0)content-signature-chains.prod.autograph.services.mozaws.netprod.content-signature-chains.prod.webservices.mozgcp.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:16.504606962 CET1.1.1.1192.168.2.90x155bNo error (0)prod.content-signature-chains.prod.webservices.mozgcp.net34.160.144.191A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:16.748013973 CET1.1.1.1192.168.2.90x2a66No error (0)prod.content-signature-chains.prod.webservices.mozgcp.net34.160.144.191A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:16.887623072 CET1.1.1.1192.168.2.90x28caNo error (0)prod.content-signature-chains.prod.webservices.mozgcp.net28IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:16.959716082 CET1.1.1.1192.168.2.90xf3a7No error (0)shavar.services.mozilla.comshavar.prod.mozaws.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:16.963505030 CET1.1.1.1192.168.2.90x16bcNo error (0)ipv4only.arpa192.0.0.170A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:16.963505030 CET1.1.1.1192.168.2.90x16bcNo error (0)ipv4only.arpa192.0.0.171A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:16.968302011 CET1.1.1.1192.168.2.90x9080No error (0)detectportal.firefox.comdetectportal.prod.mozaws.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:16.968302011 CET1.1.1.1192.168.2.90x9080No error (0)prod.detectportal.prod.cloudops.mozgcp.net34.107.221.82A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:16.976780891 CET1.1.1.1192.168.2.90xe79aNo error (0)example.org93.184.215.14A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:17.261923075 CET1.1.1.1192.168.2.90xda0bNo error (0)push.services.mozilla.com34.107.243.93A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:17.508956909 CET1.1.1.1192.168.2.90x917bNo error (0)push.services.mozilla.com34.107.243.93A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:19.341223001 CET1.1.1.1192.168.2.90x5019No error (0)balrog-aus5.r53-2.services.mozilla.comprod.balrog.prod.cloudops.mozgcp.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:19.341223001 CET1.1.1.1192.168.2.90x5019No error (0)prod.balrog.prod.cloudops.mozgcp.net35.244.181.201A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:19.367378950 CET1.1.1.1192.168.2.90xbe8dNo error (0)firefox.settings.services.mozilla.comprod.remote-settings.prod.webservices.mozgcp.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:19.367378950 CET1.1.1.1192.168.2.90xbe8dNo error (0)prod.remote-settings.prod.webservices.mozgcp.net34.149.100.209A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:19.415014029 CET1.1.1.1192.168.2.90x6abfNo error (0)telemetry-incoming.r53-2.services.mozilla.com34.120.208.123A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:19.551592112 CET1.1.1.1192.168.2.90x7acbNo error (0)prod.remote-settings.prod.webservices.mozgcp.net34.149.100.209A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:19.579821110 CET1.1.1.1192.168.2.90x63dcNo error (0)telemetry-incoming.r53-2.services.mozilla.com34.120.208.123A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:21.450716019 CET1.1.1.1192.168.2.90xec22No error (0)support.mozilla.orgprod.sumo.prod.webservices.mozgcp.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:21.450716019 CET1.1.1.1192.168.2.90xec22No error (0)prod.sumo.prod.webservices.mozgcp.netus-west1.prod.sumo.prod.webservices.mozgcp.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:21.450716019 CET1.1.1.1192.168.2.90xec22No error (0)us-west1.prod.sumo.prod.webservices.mozgcp.net34.149.128.2A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:21.589813948 CET1.1.1.1192.168.2.90xaf4cNo error (0)us-west1.prod.sumo.prod.webservices.mozgcp.net34.149.128.2A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:21.654222965 CET1.1.1.1192.168.2.90x6edaNo error (0)telemetry-incoming.r53-2.services.mozilla.com34.120.208.123A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:26.062572002 CET1.1.1.1192.168.2.90x88f1No error (0)www.youtube.comyoutube-ui.l.google.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:26.062572002 CET1.1.1.1192.168.2.90x88f1No error (0)youtube-ui.l.google.com172.217.19.174A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:26.062572002 CET1.1.1.1192.168.2.90x88f1No error (0)youtube-ui.l.google.com172.217.17.78A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:26.062572002 CET1.1.1.1192.168.2.90x88f1No error (0)youtube-ui.l.google.com142.250.181.142A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:26.062572002 CET1.1.1.1192.168.2.90x88f1No error (0)youtube-ui.l.google.com142.250.181.46A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:26.062572002 CET1.1.1.1192.168.2.90x88f1No error (0)youtube-ui.l.google.com172.217.19.206A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:26.062572002 CET1.1.1.1192.168.2.90x88f1No error (0)youtube-ui.l.google.com216.58.208.238A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:26.062572002 CET1.1.1.1192.168.2.90x88f1No error (0)youtube-ui.l.google.com172.217.21.46A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:26.062572002 CET1.1.1.1192.168.2.90x88f1No error (0)youtube-ui.l.google.com142.250.181.78A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:26.062572002 CET1.1.1.1192.168.2.90x88f1No error (0)youtube-ui.l.google.com172.217.19.14A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:26.062572002 CET1.1.1.1192.168.2.90x88f1No error (0)youtube-ui.l.google.com172.217.19.238A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:26.062572002 CET1.1.1.1192.168.2.90x88f1No error (0)youtube-ui.l.google.com172.217.17.46A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:26.062572002 CET1.1.1.1192.168.2.90x88f1No error (0)youtube-ui.l.google.com142.250.181.110A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:26.062844992 CET1.1.1.1192.168.2.90xb4a8No error (0)www.facebook.comstar-mini.c10r.facebook.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:26.062844992 CET1.1.1.1192.168.2.90xb4a8No error (0)star-mini.c10r.facebook.com157.240.196.35A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:26.064038038 CET1.1.1.1192.168.2.90x716cNo error (0)www.wikipedia.orgdyna.wikimedia.orgCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:26.064038038 CET1.1.1.1192.168.2.90x716cNo error (0)dyna.wikimedia.org185.15.58.224A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:26.200834036 CET1.1.1.1192.168.2.90xb9ceNo error (0)star-mini.c10r.facebook.com157.240.196.35A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:26.202296019 CET1.1.1.1192.168.2.90x792fNo error (0)dyna.wikimedia.org185.15.58.224A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:26.291338921 CET1.1.1.1192.168.2.90xae30No error (0)youtube-ui.l.google.com172.217.18.46A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:26.291338921 CET1.1.1.1192.168.2.90xae30No error (0)youtube-ui.l.google.com216.58.198.78A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:26.291338921 CET1.1.1.1192.168.2.90xae30No error (0)youtube-ui.l.google.com142.250.200.238A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:26.291338921 CET1.1.1.1192.168.2.90xae30No error (0)youtube-ui.l.google.com172.217.171.238A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:26.291338921 CET1.1.1.1192.168.2.90xae30No error (0)youtube-ui.l.google.com142.251.37.238A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:26.291338921 CET1.1.1.1192.168.2.90xae30No error (0)youtube-ui.l.google.com172.217.21.14A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:26.291338921 CET1.1.1.1192.168.2.90xae30No error (0)youtube-ui.l.google.com216.58.211.206A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:26.291338921 CET1.1.1.1192.168.2.90xae30No error (0)youtube-ui.l.google.com142.250.201.46A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:26.291338921 CET1.1.1.1192.168.2.90xae30No error (0)youtube-ui.l.google.com142.251.37.174A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:26.291338921 CET1.1.1.1192.168.2.90xae30No error (0)youtube-ui.l.google.com142.250.203.238A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:26.291338921 CET1.1.1.1192.168.2.90xae30No error (0)youtube-ui.l.google.com142.250.201.14A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:26.291338921 CET1.1.1.1192.168.2.90xae30No error (0)youtube-ui.l.google.com172.217.19.142A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:26.291338921 CET1.1.1.1192.168.2.90xae30No error (0)youtube-ui.l.google.com216.58.212.110A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:26.291338921 CET1.1.1.1192.168.2.90xae30No error (0)youtube-ui.l.google.com142.251.37.46A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:26.291338921 CET1.1.1.1192.168.2.90xae30No error (0)youtube-ui.l.google.com142.250.200.206A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:26.291338921 CET1.1.1.1192.168.2.90xae30No error (0)youtube-ui.l.google.com142.251.37.206A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:26.339937925 CET1.1.1.1192.168.2.90xe28bNo error (0)star-mini.c10r.facebook.com28IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:26.437849045 CET1.1.1.1192.168.2.90x28ffNo error (0)dyna.wikimedia.org28IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:26.530109882 CET1.1.1.1192.168.2.90x4a3cNo error (0)youtube-ui.l.google.com28IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:26.530109882 CET1.1.1.1192.168.2.90x4a3cNo error (0)youtube-ui.l.google.com28IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:26.530109882 CET1.1.1.1192.168.2.90x4a3cNo error (0)youtube-ui.l.google.com28IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:26.530109882 CET1.1.1.1192.168.2.90x4a3cNo error (0)youtube-ui.l.google.com28IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:27.228311062 CET1.1.1.1192.168.2.90xfb78No error (0)www.reddit.comreddit.map.fastly.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:27.228311062 CET1.1.1.1192.168.2.90xfb78No error (0)reddit.map.fastly.net151.101.129.140A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:27.228311062 CET1.1.1.1192.168.2.90xfb78No error (0)reddit.map.fastly.net151.101.65.140A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:27.228311062 CET1.1.1.1192.168.2.90xfb78No error (0)reddit.map.fastly.net151.101.193.140A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:27.228311062 CET1.1.1.1192.168.2.90xfb78No error (0)reddit.map.fastly.net151.101.1.140A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:27.229396105 CET1.1.1.1192.168.2.90xd707No error (0)twitter.com104.244.42.193A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:27.367191076 CET1.1.1.1192.168.2.90x694cNo error (0)reddit.map.fastly.net151.101.1.140A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:27.367191076 CET1.1.1.1192.168.2.90x694cNo error (0)reddit.map.fastly.net151.101.129.140A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:27.367191076 CET1.1.1.1192.168.2.90x694cNo error (0)reddit.map.fastly.net151.101.65.140A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:27.367191076 CET1.1.1.1192.168.2.90x694cNo error (0)reddit.map.fastly.net151.101.193.140A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:27.458199978 CET1.1.1.1192.168.2.90xd1d6No error (0)twitter.com104.244.42.1A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:43.158906937 CET1.1.1.1192.168.2.90xb1ebNo error (0)balrog-aus5.r53-2.services.mozilla.comprod.balrog.prod.cloudops.mozgcp.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:43.158906937 CET1.1.1.1192.168.2.90xb1ebNo error (0)prod.balrog.prod.cloudops.mozgcp.net35.244.181.201A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:43.298692942 CET1.1.1.1192.168.2.90xeab6No error (0)prod.balrog.prod.cloudops.mozgcp.net35.244.181.201A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:43.337223053 CET1.1.1.1192.168.2.90x5149No error (0)services.addons.mozilla.org151.101.193.91A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:43.337223053 CET1.1.1.1192.168.2.90x5149No error (0)services.addons.mozilla.org151.101.1.91A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:43.337223053 CET1.1.1.1192.168.2.90x5149No error (0)services.addons.mozilla.org151.101.65.91A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:43.337223053 CET1.1.1.1192.168.2.90x5149No error (0)services.addons.mozilla.org151.101.129.91A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:43.440368891 CET1.1.1.1192.168.2.90xd117No error (0)normandy.cdn.mozilla.netnormandy-cdn.services.mozilla.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:43.440368891 CET1.1.1.1192.168.2.90xd117No error (0)normandy-cdn.services.mozilla.com35.201.103.21A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:43.569382906 CET1.1.1.1192.168.2.90xc675No error (0)services.addons.mozilla.org151.101.193.91A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:43.569382906 CET1.1.1.1192.168.2.90xc675No error (0)services.addons.mozilla.org151.101.1.91A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:43.569382906 CET1.1.1.1192.168.2.90xc675No error (0)services.addons.mozilla.org151.101.65.91A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:43.569382906 CET1.1.1.1192.168.2.90xc675No error (0)services.addons.mozilla.org151.101.129.91A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:43.671108007 CET1.1.1.1192.168.2.90x17e9No error (0)normandy-cdn.services.mozilla.com35.201.103.21A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:43.707941055 CET1.1.1.1192.168.2.90x8b08No error (0)services.addons.mozilla.org28IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:43.707941055 CET1.1.1.1192.168.2.90x8b08No error (0)services.addons.mozilla.org28IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:43.707941055 CET1.1.1.1192.168.2.90x8b08No error (0)services.addons.mozilla.org28IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:43.707941055 CET1.1.1.1192.168.2.90x8b08No error (0)services.addons.mozilla.org28IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:46.389657021 CET1.1.1.1192.168.2.90xa9f5No error (0)a21ed24aedde648804e7-228765c84088fef4ff5e70f2710398e9.r17.cf1.rackcdn.coma17.rackcdn.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:46.389657021 CET1.1.1.1192.168.2.90xa9f5No error (0)a17.rackcdn.coma17.rackcdn.com.mdc.edgesuite.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:21:01.135729074 CET1.1.1.1192.168.2.90x4185No error (0)push.services.mozilla.com34.107.243.93A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:21:02.596362114 CET1.1.1.1192.168.2.90x9ed5No error (0)detectportal.firefox.comdetectportal.prod.mozaws.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:21:02.596362114 CET1.1.1.1192.168.2.90x9ed5No error (0)prod.detectportal.prod.cloudops.mozgcp.net34.107.221.82A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:21:13.502892017 CET1.1.1.1192.168.2.90x9b7bNo error (0)telemetry-incoming.r53-2.services.mozilla.com34.120.208.123A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:21:42.731777906 CET1.1.1.1192.168.2.90x7e5bNo error (0)push.services.mozilla.com34.107.243.93A (IP address)IN (0x0001)false

                                                                                                                                                                                                                                                                                                                                                                                HTTP Request Dependency Graph

                                                                                                                                                                                                                                                                                                                                                                                • detectportal.firefox.com

                                                                                                                                                                                                                                                                                                                                                                                HTTP Packets

                                                                                                                                                                                                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                                                                                                                                0192.168.2.94973934.107.221.82808000C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:15.531306028 CET303OUTGET /canonical.html HTTP/1.1
                                                                                                                                                                                                                                                                                                                                                                                Host: detectportal.firefox.com
                                                                                                                                                                                                                                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
                                                                                                                                                                                                                                                                                                                                                                                Accept: */*
                                                                                                                                                                                                                                                                                                                                                                                Accept-Language: en-US,en;q=0.5
                                                                                                                                                                                                                                                                                                                                                                                Accept-Encoding: gzip, deflate
                                                                                                                                                                                                                                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                                                                                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                                                                                                                                                                                                                                Connection: keep-alive
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:16.615900040 CET298INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                                                                                                                                Server: nginx
                                                                                                                                                                                                                                                                                                                                                                                Content-Length: 90
                                                                                                                                                                                                                                                                                                                                                                                Via: 1.1 google
                                                                                                                                                                                                                                                                                                                                                                                Date: Mon, 16 Dec 2024 11:33:04 GMT
                                                                                                                                                                                                                                                                                                                                                                                Age: 78432
                                                                                                                                                                                                                                                                                                                                                                                Content-Type: text/html
                                                                                                                                                                                                                                                                                                                                                                                Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600
                                                                                                                                                                                                                                                                                                                                                                                Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e
                                                                                                                                                                                                                                                                                                                                                                                Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:16.830077887 CET303OUTGET /canonical.html HTTP/1.1
                                                                                                                                                                                                                                                                                                                                                                                Host: detectportal.firefox.com
                                                                                                                                                                                                                                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
                                                                                                                                                                                                                                                                                                                                                                                Accept: */*
                                                                                                                                                                                                                                                                                                                                                                                Accept-Language: en-US,en;q=0.5
                                                                                                                                                                                                                                                                                                                                                                                Accept-Encoding: gzip, deflate
                                                                                                                                                                                                                                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                                                                                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                                                                                                                                                                                                                                Connection: keep-alive
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:17.144669056 CET298INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                                                                                                                                Server: nginx
                                                                                                                                                                                                                                                                                                                                                                                Content-Length: 90
                                                                                                                                                                                                                                                                                                                                                                                Via: 1.1 google
                                                                                                                                                                                                                                                                                                                                                                                Date: Mon, 16 Dec 2024 11:33:04 GMT
                                                                                                                                                                                                                                                                                                                                                                                Age: 78432
                                                                                                                                                                                                                                                                                                                                                                                Content-Type: text/html
                                                                                                                                                                                                                                                                                                                                                                                Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600
                                                                                                                                                                                                                                                                                                                                                                                Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e
                                                                                                                                                                                                                                                                                                                                                                                Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>


                                                                                                                                                                                                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                                                                                                                                1192.168.2.94975234.107.221.82808000C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:17.097820997 CET305OUTGET /success.txt?ipv4 HTTP/1.1
                                                                                                                                                                                                                                                                                                                                                                                Host: detectportal.firefox.com
                                                                                                                                                                                                                                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
                                                                                                                                                                                                                                                                                                                                                                                Accept: */*
                                                                                                                                                                                                                                                                                                                                                                                Accept-Language: en-US,en;q=0.5
                                                                                                                                                                                                                                                                                                                                                                                Accept-Encoding: gzip, deflate
                                                                                                                                                                                                                                                                                                                                                                                Connection: keep-alive
                                                                                                                                                                                                                                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                                                                                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:18.184344053 CET216INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                                                                                                                                Server: nginx
                                                                                                                                                                                                                                                                                                                                                                                Content-Length: 8
                                                                                                                                                                                                                                                                                                                                                                                Via: 1.1 google
                                                                                                                                                                                                                                                                                                                                                                                Date: Mon, 16 Dec 2024 10:09:59 GMT
                                                                                                                                                                                                                                                                                                                                                                                Age: 83419
                                                                                                                                                                                                                                                                                                                                                                                Content-Type: text/plain
                                                                                                                                                                                                                                                                                                                                                                                Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600
                                                                                                                                                                                                                                                                                                                                                                                Data Raw: 73 75 63 63 65 73 73 0a
                                                                                                                                                                                                                                                                                                                                                                                Data Ascii: success


                                                                                                                                                                                                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                                                                                                                                2192.168.2.94975634.107.221.82808000C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:18.317163944 CET305OUTGET /success.txt?ipv4 HTTP/1.1
                                                                                                                                                                                                                                                                                                                                                                                Host: detectportal.firefox.com
                                                                                                                                                                                                                                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
                                                                                                                                                                                                                                                                                                                                                                                Accept: */*
                                                                                                                                                                                                                                                                                                                                                                                Accept-Language: en-US,en;q=0.5
                                                                                                                                                                                                                                                                                                                                                                                Accept-Encoding: gzip, deflate
                                                                                                                                                                                                                                                                                                                                                                                Connection: keep-alive
                                                                                                                                                                                                                                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                                                                                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:19.404140949 CET216INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                                                                                                                                Server: nginx
                                                                                                                                                                                                                                                                                                                                                                                Content-Length: 8
                                                                                                                                                                                                                                                                                                                                                                                Via: 1.1 google
                                                                                                                                                                                                                                                                                                                                                                                Date: Mon, 16 Dec 2024 10:09:59 GMT
                                                                                                                                                                                                                                                                                                                                                                                Age: 83420
                                                                                                                                                                                                                                                                                                                                                                                Content-Type: text/plain
                                                                                                                                                                                                                                                                                                                                                                                Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600
                                                                                                                                                                                                                                                                                                                                                                                Data Raw: 73 75 63 63 65 73 73 0a
                                                                                                                                                                                                                                                                                                                                                                                Data Ascii: success
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:19.621516943 CET305OUTGET /success.txt?ipv4 HTTP/1.1
                                                                                                                                                                                                                                                                                                                                                                                Host: detectportal.firefox.com
                                                                                                                                                                                                                                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
                                                                                                                                                                                                                                                                                                                                                                                Accept: */*
                                                                                                                                                                                                                                                                                                                                                                                Accept-Language: en-US,en;q=0.5
                                                                                                                                                                                                                                                                                                                                                                                Accept-Encoding: gzip, deflate
                                                                                                                                                                                                                                                                                                                                                                                Connection: keep-alive
                                                                                                                                                                                                                                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                                                                                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:19.936393976 CET216INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                                                                                                                                Server: nginx
                                                                                                                                                                                                                                                                                                                                                                                Content-Length: 8
                                                                                                                                                                                                                                                                                                                                                                                Via: 1.1 google
                                                                                                                                                                                                                                                                                                                                                                                Date: Mon, 16 Dec 2024 10:09:59 GMT
                                                                                                                                                                                                                                                                                                                                                                                Age: 83420
                                                                                                                                                                                                                                                                                                                                                                                Content-Type: text/plain
                                                                                                                                                                                                                                                                                                                                                                                Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600
                                                                                                                                                                                                                                                                                                                                                                                Data Raw: 73 75 63 63 65 73 73 0a
                                                                                                                                                                                                                                                                                                                                                                                Data Ascii: success
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:20.017059088 CET305OUTGET /success.txt?ipv4 HTTP/1.1
                                                                                                                                                                                                                                                                                                                                                                                Host: detectportal.firefox.com
                                                                                                                                                                                                                                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
                                                                                                                                                                                                                                                                                                                                                                                Accept: */*
                                                                                                                                                                                                                                                                                                                                                                                Accept-Language: en-US,en;q=0.5
                                                                                                                                                                                                                                                                                                                                                                                Accept-Encoding: gzip, deflate
                                                                                                                                                                                                                                                                                                                                                                                Connection: keep-alive
                                                                                                                                                                                                                                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                                                                                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:20.331856966 CET216INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                                                                                                                                Server: nginx
                                                                                                                                                                                                                                                                                                                                                                                Content-Length: 8
                                                                                                                                                                                                                                                                                                                                                                                Via: 1.1 google
                                                                                                                                                                                                                                                                                                                                                                                Date: Mon, 16 Dec 2024 10:09:59 GMT
                                                                                                                                                                                                                                                                                                                                                                                Age: 83421
                                                                                                                                                                                                                                                                                                                                                                                Content-Type: text/plain
                                                                                                                                                                                                                                                                                                                                                                                Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600
                                                                                                                                                                                                                                                                                                                                                                                Data Raw: 73 75 63 63 65 73 73 0a
                                                                                                                                                                                                                                                                                                                                                                                Data Ascii: success
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:27.146930933 CET305OUTGET /success.txt?ipv4 HTTP/1.1
                                                                                                                                                                                                                                                                                                                                                                                Host: detectportal.firefox.com
                                                                                                                                                                                                                                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
                                                                                                                                                                                                                                                                                                                                                                                Accept: */*
                                                                                                                                                                                                                                                                                                                                                                                Accept-Language: en-US,en;q=0.5
                                                                                                                                                                                                                                                                                                                                                                                Accept-Encoding: gzip, deflate
                                                                                                                                                                                                                                                                                                                                                                                Connection: keep-alive
                                                                                                                                                                                                                                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                                                                                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:27.461630106 CET216INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                                                                                                                                Server: nginx
                                                                                                                                                                                                                                                                                                                                                                                Content-Length: 8
                                                                                                                                                                                                                                                                                                                                                                                Via: 1.1 google
                                                                                                                                                                                                                                                                                                                                                                                Date: Mon, 16 Dec 2024 10:09:59 GMT
                                                                                                                                                                                                                                                                                                                                                                                Age: 83428
                                                                                                                                                                                                                                                                                                                                                                                Content-Type: text/plain
                                                                                                                                                                                                                                                                                                                                                                                Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600
                                                                                                                                                                                                                                                                                                                                                                                Data Raw: 73 75 63 63 65 73 73 0a
                                                                                                                                                                                                                                                                                                                                                                                Data Ascii: success
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:29.619379997 CET305OUTGET /success.txt?ipv4 HTTP/1.1
                                                                                                                                                                                                                                                                                                                                                                                Host: detectportal.firefox.com
                                                                                                                                                                                                                                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
                                                                                                                                                                                                                                                                                                                                                                                Accept: */*
                                                                                                                                                                                                                                                                                                                                                                                Accept-Language: en-US,en;q=0.5
                                                                                                                                                                                                                                                                                                                                                                                Accept-Encoding: gzip, deflate
                                                                                                                                                                                                                                                                                                                                                                                Connection: keep-alive
                                                                                                                                                                                                                                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                                                                                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:29.934993029 CET216INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                                                                                                                                Server: nginx
                                                                                                                                                                                                                                                                                                                                                                                Content-Length: 8
                                                                                                                                                                                                                                                                                                                                                                                Via: 1.1 google
                                                                                                                                                                                                                                                                                                                                                                                Date: Mon, 16 Dec 2024 10:09:59 GMT
                                                                                                                                                                                                                                                                                                                                                                                Age: 83430
                                                                                                                                                                                                                                                                                                                                                                                Content-Type: text/plain
                                                                                                                                                                                                                                                                                                                                                                                Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600
                                                                                                                                                                                                                                                                                                                                                                                Data Raw: 73 75 63 63 65 73 73 0a
                                                                                                                                                                                                                                                                                                                                                                                Data Ascii: success
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:30.059253931 CET305OUTGET /success.txt?ipv4 HTTP/1.1
                                                                                                                                                                                                                                                                                                                                                                                Host: detectportal.firefox.com
                                                                                                                                                                                                                                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
                                                                                                                                                                                                                                                                                                                                                                                Accept: */*
                                                                                                                                                                                                                                                                                                                                                                                Accept-Language: en-US,en;q=0.5
                                                                                                                                                                                                                                                                                                                                                                                Accept-Encoding: gzip, deflate
                                                                                                                                                                                                                                                                                                                                                                                Connection: keep-alive
                                                                                                                                                                                                                                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                                                                                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:30.376044035 CET216INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                                                                                                                                Server: nginx
                                                                                                                                                                                                                                                                                                                                                                                Content-Length: 8
                                                                                                                                                                                                                                                                                                                                                                                Via: 1.1 google
                                                                                                                                                                                                                                                                                                                                                                                Date: Mon, 16 Dec 2024 10:09:59 GMT
                                                                                                                                                                                                                                                                                                                                                                                Age: 83431
                                                                                                                                                                                                                                                                                                                                                                                Content-Type: text/plain
                                                                                                                                                                                                                                                                                                                                                                                Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600
                                                                                                                                                                                                                                                                                                                                                                                Data Raw: 73 75 63 63 65 73 73 0a
                                                                                                                                                                                                                                                                                                                                                                                Data Ascii: success
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:40.388474941 CET6OUTData Raw: 00
                                                                                                                                                                                                                                                                                                                                                                                Data Ascii:
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:41.310751915 CET305OUTGET /success.txt?ipv4 HTTP/1.1
                                                                                                                                                                                                                                                                                                                                                                                Host: detectportal.firefox.com
                                                                                                                                                                                                                                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
                                                                                                                                                                                                                                                                                                                                                                                Accept: */*
                                                                                                                                                                                                                                                                                                                                                                                Accept-Language: en-US,en;q=0.5
                                                                                                                                                                                                                                                                                                                                                                                Accept-Encoding: gzip, deflate
                                                                                                                                                                                                                                                                                                                                                                                Connection: keep-alive
                                                                                                                                                                                                                                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                                                                                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:41.626009941 CET216INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                                                                                                                                Server: nginx
                                                                                                                                                                                                                                                                                                                                                                                Content-Length: 8
                                                                                                                                                                                                                                                                                                                                                                                Via: 1.1 google
                                                                                                                                                                                                                                                                                                                                                                                Date: Mon, 16 Dec 2024 10:09:59 GMT
                                                                                                                                                                                                                                                                                                                                                                                Age: 83442
                                                                                                                                                                                                                                                                                                                                                                                Content-Type: text/plain
                                                                                                                                                                                                                                                                                                                                                                                Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600
                                                                                                                                                                                                                                                                                                                                                                                Data Raw: 73 75 63 63 65 73 73 0a
                                                                                                                                                                                                                                                                                                                                                                                Data Ascii: success
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:44.055052996 CET305OUTGET /success.txt?ipv4 HTTP/1.1
                                                                                                                                                                                                                                                                                                                                                                                Host: detectportal.firefox.com
                                                                                                                                                                                                                                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
                                                                                                                                                                                                                                                                                                                                                                                Accept: */*
                                                                                                                                                                                                                                                                                                                                                                                Accept-Language: en-US,en;q=0.5
                                                                                                                                                                                                                                                                                                                                                                                Accept-Encoding: gzip, deflate
                                                                                                                                                                                                                                                                                                                                                                                Connection: keep-alive
                                                                                                                                                                                                                                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                                                                                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:44.369913101 CET216INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                                                                                                                                Server: nginx
                                                                                                                                                                                                                                                                                                                                                                                Content-Length: 8
                                                                                                                                                                                                                                                                                                                                                                                Via: 1.1 google
                                                                                                                                                                                                                                                                                                                                                                                Date: Mon, 16 Dec 2024 10:09:59 GMT
                                                                                                                                                                                                                                                                                                                                                                                Age: 83445
                                                                                                                                                                                                                                                                                                                                                                                Content-Type: text/plain
                                                                                                                                                                                                                                                                                                                                                                                Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600
                                                                                                                                                                                                                                                                                                                                                                                Data Raw: 73 75 63 63 65 73 73 0a
                                                                                                                                                                                                                                                                                                                                                                                Data Ascii: success
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:44.676948071 CET305OUTGET /success.txt?ipv4 HTTP/1.1
                                                                                                                                                                                                                                                                                                                                                                                Host: detectportal.firefox.com
                                                                                                                                                                                                                                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
                                                                                                                                                                                                                                                                                                                                                                                Accept: */*
                                                                                                                                                                                                                                                                                                                                                                                Accept-Language: en-US,en;q=0.5
                                                                                                                                                                                                                                                                                                                                                                                Accept-Encoding: gzip, deflate
                                                                                                                                                                                                                                                                                                                                                                                Connection: keep-alive
                                                                                                                                                                                                                                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                                                                                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:44.991638899 CET216INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                                                                                                                                Server: nginx
                                                                                                                                                                                                                                                                                                                                                                                Content-Length: 8
                                                                                                                                                                                                                                                                                                                                                                                Via: 1.1 google
                                                                                                                                                                                                                                                                                                                                                                                Date: Mon, 16 Dec 2024 10:09:59 GMT
                                                                                                                                                                                                                                                                                                                                                                                Age: 83445
                                                                                                                                                                                                                                                                                                                                                                                Content-Type: text/plain
                                                                                                                                                                                                                                                                                                                                                                                Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600
                                                                                                                                                                                                                                                                                                                                                                                Data Raw: 73 75 63 63 65 73 73 0a
                                                                                                                                                                                                                                                                                                                                                                                Data Ascii: success
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:45.887398958 CET305OUTGET /success.txt?ipv4 HTTP/1.1
                                                                                                                                                                                                                                                                                                                                                                                Host: detectportal.firefox.com
                                                                                                                                                                                                                                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
                                                                                                                                                                                                                                                                                                                                                                                Accept: */*
                                                                                                                                                                                                                                                                                                                                                                                Accept-Language: en-US,en;q=0.5
                                                                                                                                                                                                                                                                                                                                                                                Accept-Encoding: gzip, deflate
                                                                                                                                                                                                                                                                                                                                                                                Connection: keep-alive
                                                                                                                                                                                                                                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                                                                                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:46.202697992 CET216INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                                                                                                                                Server: nginx
                                                                                                                                                                                                                                                                                                                                                                                Content-Length: 8
                                                                                                                                                                                                                                                                                                                                                                                Via: 1.1 google
                                                                                                                                                                                                                                                                                                                                                                                Date: Mon, 16 Dec 2024 10:09:59 GMT
                                                                                                                                                                                                                                                                                                                                                                                Age: 83447
                                                                                                                                                                                                                                                                                                                                                                                Content-Type: text/plain
                                                                                                                                                                                                                                                                                                                                                                                Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600
                                                                                                                                                                                                                                                                                                                                                                                Data Raw: 73 75 63 63 65 73 73 0a
                                                                                                                                                                                                                                                                                                                                                                                Data Ascii: success
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:46.233854055 CET305OUTGET /success.txt?ipv4 HTTP/1.1
                                                                                                                                                                                                                                                                                                                                                                                Host: detectportal.firefox.com
                                                                                                                                                                                                                                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
                                                                                                                                                                                                                                                                                                                                                                                Accept: */*
                                                                                                                                                                                                                                                                                                                                                                                Accept-Language: en-US,en;q=0.5
                                                                                                                                                                                                                                                                                                                                                                                Accept-Encoding: gzip, deflate
                                                                                                                                                                                                                                                                                                                                                                                Connection: keep-alive
                                                                                                                                                                                                                                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                                                                                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:46.549034119 CET216INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                                                                                                                                Server: nginx
                                                                                                                                                                                                                                                                                                                                                                                Content-Length: 8
                                                                                                                                                                                                                                                                                                                                                                                Via: 1.1 google
                                                                                                                                                                                                                                                                                                                                                                                Date: Mon, 16 Dec 2024 10:09:59 GMT
                                                                                                                                                                                                                                                                                                                                                                                Age: 83447
                                                                                                                                                                                                                                                                                                                                                                                Content-Type: text/plain
                                                                                                                                                                                                                                                                                                                                                                                Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600
                                                                                                                                                                                                                                                                                                                                                                                Data Raw: 73 75 63 63 65 73 73 0a
                                                                                                                                                                                                                                                                                                                                                                                Data Ascii: success
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:56.552139997 CET6OUTData Raw: 00
                                                                                                                                                                                                                                                                                                                                                                                Data Ascii:
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:21:02.685369968 CET305OUTGET /success.txt?ipv4 HTTP/1.1
                                                                                                                                                                                                                                                                                                                                                                                Host: detectportal.firefox.com
                                                                                                                                                                                                                                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
                                                                                                                                                                                                                                                                                                                                                                                Accept: */*
                                                                                                                                                                                                                                                                                                                                                                                Accept-Language: en-US,en;q=0.5
                                                                                                                                                                                                                                                                                                                                                                                Accept-Encoding: gzip, deflate
                                                                                                                                                                                                                                                                                                                                                                                Connection: keep-alive
                                                                                                                                                                                                                                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                                                                                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:21:03.000430107 CET216INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                                                                                                                                Server: nginx
                                                                                                                                                                                                                                                                                                                                                                                Content-Length: 8
                                                                                                                                                                                                                                                                                                                                                                                Via: 1.1 google
                                                                                                                                                                                                                                                                                                                                                                                Date: Mon, 16 Dec 2024 10:09:59 GMT
                                                                                                                                                                                                                                                                                                                                                                                Age: 83463
                                                                                                                                                                                                                                                                                                                                                                                Content-Type: text/plain
                                                                                                                                                                                                                                                                                                                                                                                Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600
                                                                                                                                                                                                                                                                                                                                                                                Data Raw: 73 75 63 63 65 73 73 0a
                                                                                                                                                                                                                                                                                                                                                                                Data Ascii: success
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:21:13.003644943 CET6OUTData Raw: 00
                                                                                                                                                                                                                                                                                                                                                                                Data Ascii:
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:21:14.816406965 CET305OUTGET /success.txt?ipv4 HTTP/1.1
                                                                                                                                                                                                                                                                                                                                                                                Host: detectportal.firefox.com
                                                                                                                                                                                                                                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
                                                                                                                                                                                                                                                                                                                                                                                Accept: */*
                                                                                                                                                                                                                                                                                                                                                                                Accept-Language: en-US,en;q=0.5
                                                                                                                                                                                                                                                                                                                                                                                Accept-Encoding: gzip, deflate
                                                                                                                                                                                                                                                                                                                                                                                Connection: keep-alive
                                                                                                                                                                                                                                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                                                                                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:21:15.131270885 CET216INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                                                                                                                                Server: nginx
                                                                                                                                                                                                                                                                                                                                                                                Content-Length: 8
                                                                                                                                                                                                                                                                                                                                                                                Via: 1.1 google
                                                                                                                                                                                                                                                                                                                                                                                Date: Mon, 16 Dec 2024 10:09:59 GMT
                                                                                                                                                                                                                                                                                                                                                                                Age: 83475
                                                                                                                                                                                                                                                                                                                                                                                Content-Type: text/plain
                                                                                                                                                                                                                                                                                                                                                                                Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600
                                                                                                                                                                                                                                                                                                                                                                                Data Raw: 73 75 63 63 65 73 73 0a
                                                                                                                                                                                                                                                                                                                                                                                Data Ascii: success
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:21:25.139421940 CET6OUTData Raw: 00
                                                                                                                                                                                                                                                                                                                                                                                Data Ascii:
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:21:35.269602060 CET6OUTData Raw: 00
                                                                                                                                                                                                                                                                                                                                                                                Data Ascii:
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:21:44.305380106 CET305OUTGET /success.txt?ipv4 HTTP/1.1
                                                                                                                                                                                                                                                                                                                                                                                Host: detectportal.firefox.com
                                                                                                                                                                                                                                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
                                                                                                                                                                                                                                                                                                                                                                                Accept: */*
                                                                                                                                                                                                                                                                                                                                                                                Accept-Language: en-US,en;q=0.5
                                                                                                                                                                                                                                                                                                                                                                                Accept-Encoding: gzip, deflate
                                                                                                                                                                                                                                                                                                                                                                                Connection: keep-alive
                                                                                                                                                                                                                                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                                                                                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:21:44.620090961 CET216INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                                                                                                                                Server: nginx
                                                                                                                                                                                                                                                                                                                                                                                Content-Length: 8
                                                                                                                                                                                                                                                                                                                                                                                Via: 1.1 google
                                                                                                                                                                                                                                                                                                                                                                                Date: Mon, 16 Dec 2024 10:09:59 GMT
                                                                                                                                                                                                                                                                                                                                                                                Age: 83505
                                                                                                                                                                                                                                                                                                                                                                                Content-Type: text/plain
                                                                                                                                                                                                                                                                                                                                                                                Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600
                                                                                                                                                                                                                                                                                                                                                                                Data Raw: 73 75 63 63 65 73 73 0a
                                                                                                                                                                                                                                                                                                                                                                                Data Ascii: success
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:21:54.625454903 CET6OUTData Raw: 00
                                                                                                                                                                                                                                                                                                                                                                                Data Ascii:
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:22:04.754215956 CET6OUTData Raw: 00
                                                                                                                                                                                                                                                                                                                                                                                Data Ascii:
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:22:14.875072002 CET6OUTData Raw: 00
                                                                                                                                                                                                                                                                                                                                                                                Data Ascii:


                                                                                                                                                                                                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                                                                                                                                3192.168.2.94976134.107.221.82808000C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:18.489648104 CET303OUTGET /canonical.html HTTP/1.1
                                                                                                                                                                                                                                                                                                                                                                                Host: detectportal.firefox.com
                                                                                                                                                                                                                                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
                                                                                                                                                                                                                                                                                                                                                                                Accept: */*
                                                                                                                                                                                                                                                                                                                                                                                Accept-Language: en-US,en;q=0.5
                                                                                                                                                                                                                                                                                                                                                                                Accept-Encoding: gzip, deflate
                                                                                                                                                                                                                                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                                                                                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                                                                                                                                                                                                                                Connection: keep-alive
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:19.575567007 CET298INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                                                                                                                                Server: nginx
                                                                                                                                                                                                                                                                                                                                                                                Content-Length: 90
                                                                                                                                                                                                                                                                                                                                                                                Via: 1.1 google
                                                                                                                                                                                                                                                                                                                                                                                Date: Mon, 16 Dec 2024 11:33:04 GMT
                                                                                                                                                                                                                                                                                                                                                                                Age: 78435
                                                                                                                                                                                                                                                                                                                                                                                Content-Type: text/html
                                                                                                                                                                                                                                                                                                                                                                                Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600
                                                                                                                                                                                                                                                                                                                                                                                Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e
                                                                                                                                                                                                                                                                                                                                                                                Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:19.696001053 CET303OUTGET /canonical.html HTTP/1.1
                                                                                                                                                                                                                                                                                                                                                                                Host: detectportal.firefox.com
                                                                                                                                                                                                                                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
                                                                                                                                                                                                                                                                                                                                                                                Accept: */*
                                                                                                                                                                                                                                                                                                                                                                                Accept-Language: en-US,en;q=0.5
                                                                                                                                                                                                                                                                                                                                                                                Accept-Encoding: gzip, deflate
                                                                                                                                                                                                                                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                                                                                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                                                                                                                                                                                                                                Connection: keep-alive
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:20.011398077 CET298INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                                                                                                                                Server: nginx
                                                                                                                                                                                                                                                                                                                                                                                Content-Length: 90
                                                                                                                                                                                                                                                                                                                                                                                Via: 1.1 google
                                                                                                                                                                                                                                                                                                                                                                                Date: Mon, 16 Dec 2024 11:33:04 GMT
                                                                                                                                                                                                                                                                                                                                                                                Age: 78435
                                                                                                                                                                                                                                                                                                                                                                                Content-Type: text/html
                                                                                                                                                                                                                                                                                                                                                                                Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600
                                                                                                                                                                                                                                                                                                                                                                                Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e
                                                                                                                                                                                                                                                                                                                                                                                Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:21.418376923 CET303OUTGET /canonical.html HTTP/1.1
                                                                                                                                                                                                                                                                                                                                                                                Host: detectportal.firefox.com
                                                                                                                                                                                                                                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
                                                                                                                                                                                                                                                                                                                                                                                Accept: */*
                                                                                                                                                                                                                                                                                                                                                                                Accept-Language: en-US,en;q=0.5
                                                                                                                                                                                                                                                                                                                                                                                Accept-Encoding: gzip, deflate
                                                                                                                                                                                                                                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                                                                                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                                                                                                                                                                                                                                Connection: keep-alive
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:21.733330011 CET298INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                                                                                                                                Server: nginx
                                                                                                                                                                                                                                                                                                                                                                                Content-Length: 90
                                                                                                                                                                                                                                                                                                                                                                                Via: 1.1 google
                                                                                                                                                                                                                                                                                                                                                                                Date: Mon, 16 Dec 2024 11:33:04 GMT
                                                                                                                                                                                                                                                                                                                                                                                Age: 78437
                                                                                                                                                                                                                                                                                                                                                                                Content-Type: text/html
                                                                                                                                                                                                                                                                                                                                                                                Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600
                                                                                                                                                                                                                                                                                                                                                                                Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e
                                                                                                                                                                                                                                                                                                                                                                                Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:27.149202108 CET303OUTGET /canonical.html HTTP/1.1
                                                                                                                                                                                                                                                                                                                                                                                Host: detectportal.firefox.com
                                                                                                                                                                                                                                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
                                                                                                                                                                                                                                                                                                                                                                                Accept: */*
                                                                                                                                                                                                                                                                                                                                                                                Accept-Language: en-US,en;q=0.5
                                                                                                                                                                                                                                                                                                                                                                                Accept-Encoding: gzip, deflate
                                                                                                                                                                                                                                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                                                                                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                                                                                                                                                                                                                                Connection: keep-alive
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:27.464646101 CET298INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                                                                                                                                Server: nginx
                                                                                                                                                                                                                                                                                                                                                                                Content-Length: 90
                                                                                                                                                                                                                                                                                                                                                                                Via: 1.1 google
                                                                                                                                                                                                                                                                                                                                                                                Date: Mon, 16 Dec 2024 11:33:04 GMT
                                                                                                                                                                                                                                                                                                                                                                                Age: 78443
                                                                                                                                                                                                                                                                                                                                                                                Content-Type: text/html
                                                                                                                                                                                                                                                                                                                                                                                Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600
                                                                                                                                                                                                                                                                                                                                                                                Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e
                                                                                                                                                                                                                                                                                                                                                                                Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:29.627201080 CET303OUTGET /canonical.html HTTP/1.1
                                                                                                                                                                                                                                                                                                                                                                                Host: detectportal.firefox.com
                                                                                                                                                                                                                                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
                                                                                                                                                                                                                                                                                                                                                                                Accept: */*
                                                                                                                                                                                                                                                                                                                                                                                Accept-Language: en-US,en;q=0.5
                                                                                                                                                                                                                                                                                                                                                                                Accept-Encoding: gzip, deflate
                                                                                                                                                                                                                                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                                                                                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                                                                                                                                                                                                                                Connection: keep-alive
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:29.944639921 CET298INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                                                                                                                                Server: nginx
                                                                                                                                                                                                                                                                                                                                                                                Content-Length: 90
                                                                                                                                                                                                                                                                                                                                                                                Via: 1.1 google
                                                                                                                                                                                                                                                                                                                                                                                Date: Mon, 16 Dec 2024 11:33:04 GMT
                                                                                                                                                                                                                                                                                                                                                                                Age: 78445
                                                                                                                                                                                                                                                                                                                                                                                Content-Type: text/html
                                                                                                                                                                                                                                                                                                                                                                                Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600
                                                                                                                                                                                                                                                                                                                                                                                Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e
                                                                                                                                                                                                                                                                                                                                                                                Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:39.956382990 CET6OUTData Raw: 00
                                                                                                                                                                                                                                                                                                                                                                                Data Ascii:
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:40.991647959 CET303OUTGET /canonical.html HTTP/1.1
                                                                                                                                                                                                                                                                                                                                                                                Host: detectportal.firefox.com
                                                                                                                                                                                                                                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
                                                                                                                                                                                                                                                                                                                                                                                Accept: */*
                                                                                                                                                                                                                                                                                                                                                                                Accept-Language: en-US,en;q=0.5
                                                                                                                                                                                                                                                                                                                                                                                Accept-Encoding: gzip, deflate
                                                                                                                                                                                                                                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                                                                                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                                                                                                                                                                                                                                Connection: keep-alive
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:41.306468964 CET298INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                                                                                                                                Server: nginx
                                                                                                                                                                                                                                                                                                                                                                                Content-Length: 90
                                                                                                                                                                                                                                                                                                                                                                                Via: 1.1 google
                                                                                                                                                                                                                                                                                                                                                                                Date: Mon, 16 Dec 2024 11:33:04 GMT
                                                                                                                                                                                                                                                                                                                                                                                Age: 78457
                                                                                                                                                                                                                                                                                                                                                                                Content-Type: text/html
                                                                                                                                                                                                                                                                                                                                                                                Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600
                                                                                                                                                                                                                                                                                                                                                                                Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e
                                                                                                                                                                                                                                                                                                                                                                                Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:43.735038042 CET303OUTGET /canonical.html HTTP/1.1
                                                                                                                                                                                                                                                                                                                                                                                Host: detectportal.firefox.com
                                                                                                                                                                                                                                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
                                                                                                                                                                                                                                                                                                                                                                                Accept: */*
                                                                                                                                                                                                                                                                                                                                                                                Accept-Language: en-US,en;q=0.5
                                                                                                                                                                                                                                                                                                                                                                                Accept-Encoding: gzip, deflate
                                                                                                                                                                                                                                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                                                                                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                                                                                                                                                                                                                                Connection: keep-alive
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:44.050093889 CET298INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                                                                                                                                Server: nginx
                                                                                                                                                                                                                                                                                                                                                                                Content-Length: 90
                                                                                                                                                                                                                                                                                                                                                                                Via: 1.1 google
                                                                                                                                                                                                                                                                                                                                                                                Date: Mon, 16 Dec 2024 11:33:04 GMT
                                                                                                                                                                                                                                                                                                                                                                                Age: 78459
                                                                                                                                                                                                                                                                                                                                                                                Content-Type: text/html
                                                                                                                                                                                                                                                                                                                                                                                Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600
                                                                                                                                                                                                                                                                                                                                                                                Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e
                                                                                                                                                                                                                                                                                                                                                                                Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:44.356880903 CET303OUTGET /canonical.html HTTP/1.1
                                                                                                                                                                                                                                                                                                                                                                                Host: detectportal.firefox.com
                                                                                                                                                                                                                                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
                                                                                                                                                                                                                                                                                                                                                                                Accept: */*
                                                                                                                                                                                                                                                                                                                                                                                Accept-Language: en-US,en;q=0.5
                                                                                                                                                                                                                                                                                                                                                                                Accept-Encoding: gzip, deflate
                                                                                                                                                                                                                                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                                                                                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                                                                                                                                                                                                                                Connection: keep-alive
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:44.671613932 CET298INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                                                                                                                                Server: nginx
                                                                                                                                                                                                                                                                                                                                                                                Content-Length: 90
                                                                                                                                                                                                                                                                                                                                                                                Via: 1.1 google
                                                                                                                                                                                                                                                                                                                                                                                Date: Mon, 16 Dec 2024 11:33:04 GMT
                                                                                                                                                                                                                                                                                                                                                                                Age: 78460
                                                                                                                                                                                                                                                                                                                                                                                Content-Type: text/html
                                                                                                                                                                                                                                                                                                                                                                                Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600
                                                                                                                                                                                                                                                                                                                                                                                Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e
                                                                                                                                                                                                                                                                                                                                                                                Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:45.569354057 CET303OUTGET /canonical.html HTTP/1.1
                                                                                                                                                                                                                                                                                                                                                                                Host: detectportal.firefox.com
                                                                                                                                                                                                                                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
                                                                                                                                                                                                                                                                                                                                                                                Accept: */*
                                                                                                                                                                                                                                                                                                                                                                                Accept-Language: en-US,en;q=0.5
                                                                                                                                                                                                                                                                                                                                                                                Accept-Encoding: gzip, deflate
                                                                                                                                                                                                                                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                                                                                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                                                                                                                                                                                                                                Connection: keep-alive
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:45.884085894 CET298INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                                                                                                                                Server: nginx
                                                                                                                                                                                                                                                                                                                                                                                Content-Length: 90
                                                                                                                                                                                                                                                                                                                                                                                Via: 1.1 google
                                                                                                                                                                                                                                                                                                                                                                                Date: Mon, 16 Dec 2024 11:33:04 GMT
                                                                                                                                                                                                                                                                                                                                                                                Age: 78461
                                                                                                                                                                                                                                                                                                                                                                                Content-Type: text/html
                                                                                                                                                                                                                                                                                                                                                                                Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600
                                                                                                                                                                                                                                                                                                                                                                                Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e
                                                                                                                                                                                                                                                                                                                                                                                Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:45.916064978 CET303OUTGET /canonical.html HTTP/1.1
                                                                                                                                                                                                                                                                                                                                                                                Host: detectportal.firefox.com
                                                                                                                                                                                                                                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
                                                                                                                                                                                                                                                                                                                                                                                Accept: */*
                                                                                                                                                                                                                                                                                                                                                                                Accept-Language: en-US,en;q=0.5
                                                                                                                                                                                                                                                                                                                                                                                Accept-Encoding: gzip, deflate
                                                                                                                                                                                                                                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                                                                                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                                                                                                                                                                                                                                Connection: keep-alive
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:46.230684042 CET298INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                                                                                                                                Server: nginx
                                                                                                                                                                                                                                                                                                                                                                                Content-Length: 90
                                                                                                                                                                                                                                                                                                                                                                                Via: 1.1 google
                                                                                                                                                                                                                                                                                                                                                                                Date: Mon, 16 Dec 2024 11:33:04 GMT
                                                                                                                                                                                                                                                                                                                                                                                Age: 78462
                                                                                                                                                                                                                                                                                                                                                                                Content-Type: text/html
                                                                                                                                                                                                                                                                                                                                                                                Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600
                                                                                                                                                                                                                                                                                                                                                                                Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e
                                                                                                                                                                                                                                                                                                                                                                                Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:20:56.235943079 CET6OUTData Raw: 00
                                                                                                                                                                                                                                                                                                                                                                                Data Ascii:
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:21:02.366307974 CET303OUTGET /canonical.html HTTP/1.1
                                                                                                                                                                                                                                                                                                                                                                                Host: detectportal.firefox.com
                                                                                                                                                                                                                                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
                                                                                                                                                                                                                                                                                                                                                                                Accept: */*
                                                                                                                                                                                                                                                                                                                                                                                Accept-Language: en-US,en;q=0.5
                                                                                                                                                                                                                                                                                                                                                                                Accept-Encoding: gzip, deflate
                                                                                                                                                                                                                                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                                                                                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                                                                                                                                                                                                                                Connection: keep-alive
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:21:02.681204081 CET298INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                                                                                                                                Server: nginx
                                                                                                                                                                                                                                                                                                                                                                                Content-Length: 90
                                                                                                                                                                                                                                                                                                                                                                                Via: 1.1 google
                                                                                                                                                                                                                                                                                                                                                                                Date: Mon, 16 Dec 2024 11:33:04 GMT
                                                                                                                                                                                                                                                                                                                                                                                Age: 78478
                                                                                                                                                                                                                                                                                                                                                                                Content-Type: text/html
                                                                                                                                                                                                                                                                                                                                                                                Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600
                                                                                                                                                                                                                                                                                                                                                                                Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e
                                                                                                                                                                                                                                                                                                                                                                                Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:21:12.687186956 CET6OUTData Raw: 00
                                                                                                                                                                                                                                                                                                                                                                                Data Ascii:
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:21:14.497680902 CET303OUTGET /canonical.html HTTP/1.1
                                                                                                                                                                                                                                                                                                                                                                                Host: detectportal.firefox.com
                                                                                                                                                                                                                                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
                                                                                                                                                                                                                                                                                                                                                                                Accept: */*
                                                                                                                                                                                                                                                                                                                                                                                Accept-Language: en-US,en;q=0.5
                                                                                                                                                                                                                                                                                                                                                                                Accept-Encoding: gzip, deflate
                                                                                                                                                                                                                                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                                                                                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                                                                                                                                                                                                                                Connection: keep-alive
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:21:14.812654018 CET298INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                                                                                                                                Server: nginx
                                                                                                                                                                                                                                                                                                                                                                                Content-Length: 90
                                                                                                                                                                                                                                                                                                                                                                                Via: 1.1 google
                                                                                                                                                                                                                                                                                                                                                                                Date: Mon, 16 Dec 2024 11:33:04 GMT
                                                                                                                                                                                                                                                                                                                                                                                Age: 78490
                                                                                                                                                                                                                                                                                                                                                                                Content-Type: text/html
                                                                                                                                                                                                                                                                                                                                                                                Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600
                                                                                                                                                                                                                                                                                                                                                                                Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e
                                                                                                                                                                                                                                                                                                                                                                                Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:21:24.823015928 CET6OUTData Raw: 00
                                                                                                                                                                                                                                                                                                                                                                                Data Ascii:
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:21:34.953141928 CET6OUTData Raw: 00
                                                                                                                                                                                                                                                                                                                                                                                Data Ascii:
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:21:43.985876083 CET303OUTGET /canonical.html HTTP/1.1
                                                                                                                                                                                                                                                                                                                                                                                Host: detectportal.firefox.com
                                                                                                                                                                                                                                                                                                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
                                                                                                                                                                                                                                                                                                                                                                                Accept: */*
                                                                                                                                                                                                                                                                                                                                                                                Accept-Language: en-US,en;q=0.5
                                                                                                                                                                                                                                                                                                                                                                                Accept-Encoding: gzip, deflate
                                                                                                                                                                                                                                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                                                                                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                                                                                                                                                                                                                                Connection: keep-alive
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:21:44.300575018 CET298INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                                                                                                                                Server: nginx
                                                                                                                                                                                                                                                                                                                                                                                Content-Length: 90
                                                                                                                                                                                                                                                                                                                                                                                Via: 1.1 google
                                                                                                                                                                                                                                                                                                                                                                                Date: Mon, 16 Dec 2024 11:33:04 GMT
                                                                                                                                                                                                                                                                                                                                                                                Age: 78520
                                                                                                                                                                                                                                                                                                                                                                                Content-Type: text/html
                                                                                                                                                                                                                                                                                                                                                                                Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600
                                                                                                                                                                                                                                                                                                                                                                                Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e
                                                                                                                                                                                                                                                                                                                                                                                Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:21:54.302463055 CET6OUTData Raw: 00
                                                                                                                                                                                                                                                                                                                                                                                Data Ascii:
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:22:04.431129932 CET6OUTData Raw: 00
                                                                                                                                                                                                                                                                                                                                                                                Data Ascii:
                                                                                                                                                                                                                                                                                                                                                                                Dec 17, 2024 10:22:14.558501959 CET6OUTData Raw: 00
                                                                                                                                                                                                                                                                                                                                                                                Data Ascii:


                                                                                                                                                                                                                                                                                                                                                                                Statistics

                                                                                                                                                                                                                                                                                                                                                                                CPU Usage

                                                                                                                                                                                                                                                                                                                                                                                Click to jump to process

                                                                                                                                                                                                                                                                                                                                                                                Memory Usage

                                                                                                                                                                                                                                                                                                                                                                                Click to jump to process

                                                                                                                                                                                                                                                                                                                                                                                High Level Behavior Distribution

                                                                                                                                                                                                                                                                                                                                                                                Click to dive into process behavior distribution

                                                                                                                                                                                                                                                                                                                                                                                Behavior

                                                                                                                                                                                                                                                                                                                                                                                Click to jump to process

                                                                                                                                                                                                                                                                                                                                                                                System Behavior

                                                                                                                                                                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                                                                                                                                                                Target ID:0
                                                                                                                                                                                                                                                                                                                                                                                Start time:04:20:06
                                                                                                                                                                                                                                                                                                                                                                                Start date:17/12/2024
                                                                                                                                                                                                                                                                                                                                                                                Path:C:\Users\user\Desktop\kjDPynh9vQ.exe
                                                                                                                                                                                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                                                                                                                                                                                Commandline:"C:\Users\user\Desktop\kjDPynh9vQ.exe"
                                                                                                                                                                                                                                                                                                                                                                                Imagebase:0xb80000
                                                                                                                                                                                                                                                                                                                                                                                File size:969'216 bytes
                                                                                                                                                                                                                                                                                                                                                                                MD5 hash:A94E88B82D8B95386186B27736DFF926
                                                                                                                                                                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                                                                                                                                Reputation:low
                                                                                                                                                                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                                                                                                                                                                Target ID:2
                                                                                                                                                                                                                                                                                                                                                                                Start time:04:20:06
                                                                                                                                                                                                                                                                                                                                                                                Start date:17/12/2024
                                                                                                                                                                                                                                                                                                                                                                                Path:C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                                                                                                                                                                                Commandline:taskkill /F /IM firefox.exe /T
                                                                                                                                                                                                                                                                                                                                                                                Imagebase:0xe00000
                                                                                                                                                                                                                                                                                                                                                                                File size:74'240 bytes
                                                                                                                                                                                                                                                                                                                                                                                MD5 hash:CA313FD7E6C2A778FFD21CFB5C1C56CD
                                                                                                                                                                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                                                                                                                                Reputation:high
                                                                                                                                                                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                                                                                                                                                                Target ID:3
                                                                                                                                                                                                                                                                                                                                                                                Start time:04:20:06
                                                                                                                                                                                                                                                                                                                                                                                Start date:17/12/2024
                                                                                                                                                                                                                                                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                                                                                                                                Imagebase:0x7ff70f010000
                                                                                                                                                                                                                                                                                                                                                                                File size:862'208 bytes
                                                                                                                                                                                                                                                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                                                                                                                                Reputation:high
                                                                                                                                                                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                                                                                                                                                                Target ID:4
                                                                                                                                                                                                                                                                                                                                                                                Start time:04:20:09
                                                                                                                                                                                                                                                                                                                                                                                Start date:17/12/2024
                                                                                                                                                                                                                                                                                                                                                                                Path:C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                                                                                                                                                                                Commandline:taskkill /F /IM chrome.exe /T
                                                                                                                                                                                                                                                                                                                                                                                Imagebase:0xe00000
                                                                                                                                                                                                                                                                                                                                                                                File size:74'240 bytes
                                                                                                                                                                                                                                                                                                                                                                                MD5 hash:CA313FD7E6C2A778FFD21CFB5C1C56CD
                                                                                                                                                                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                                                                                                                                Reputation:high
                                                                                                                                                                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                                                                                                                                                                Target ID:5
                                                                                                                                                                                                                                                                                                                                                                                Start time:04:20:09
                                                                                                                                                                                                                                                                                                                                                                                Start date:17/12/2024
                                                                                                                                                                                                                                                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                                                                                                                                Imagebase:0x7ff70f010000
                                                                                                                                                                                                                                                                                                                                                                                File size:862'208 bytes
                                                                                                                                                                                                                                                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                                                                                                                                Reputation:high
                                                                                                                                                                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                                                                                                                                                                Target ID:6
                                                                                                                                                                                                                                                                                                                                                                                Start time:04:20:09
                                                                                                                                                                                                                                                                                                                                                                                Start date:17/12/2024
                                                                                                                                                                                                                                                                                                                                                                                Path:C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                                                                                                                                                                                Commandline:taskkill /F /IM msedge.exe /T
                                                                                                                                                                                                                                                                                                                                                                                Imagebase:0xe00000
                                                                                                                                                                                                                                                                                                                                                                                File size:74'240 bytes
                                                                                                                                                                                                                                                                                                                                                                                MD5 hash:CA313FD7E6C2A778FFD21CFB5C1C56CD
                                                                                                                                                                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                                                                                                                                Reputation:high
                                                                                                                                                                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                                                                                                                                                                Target ID:7
                                                                                                                                                                                                                                                                                                                                                                                Start time:04:20:09
                                                                                                                                                                                                                                                                                                                                                                                Start date:17/12/2024
                                                                                                                                                                                                                                                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                                                                                                                                Imagebase:0x7ff70f010000
                                                                                                                                                                                                                                                                                                                                                                                File size:862'208 bytes
                                                                                                                                                                                                                                                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                                                                                                                                Reputation:high
                                                                                                                                                                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                                                                                                                                                                Target ID:8
                                                                                                                                                                                                                                                                                                                                                                                Start time:04:20:09
                                                                                                                                                                                                                                                                                                                                                                                Start date:17/12/2024
                                                                                                                                                                                                                                                                                                                                                                                Path:C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                                                                                                                                                                                Commandline:taskkill /F /IM opera.exe /T
                                                                                                                                                                                                                                                                                                                                                                                Imagebase:0xe00000
                                                                                                                                                                                                                                                                                                                                                                                File size:74'240 bytes
                                                                                                                                                                                                                                                                                                                                                                                MD5 hash:CA313FD7E6C2A778FFD21CFB5C1C56CD
                                                                                                                                                                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                                                                                                                                Reputation:high
                                                                                                                                                                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                                                                                                                                                                Target ID:9
                                                                                                                                                                                                                                                                                                                                                                                Start time:04:20:09
                                                                                                                                                                                                                                                                                                                                                                                Start date:17/12/2024
                                                                                                                                                                                                                                                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                                                                                                                                Imagebase:0x7ff70f010000
                                                                                                                                                                                                                                                                                                                                                                                File size:862'208 bytes
                                                                                                                                                                                                                                                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                                                                                                                                Reputation:high
                                                                                                                                                                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                                                                                                                                                                Target ID:10
                                                                                                                                                                                                                                                                                                                                                                                Start time:04:20:09
                                                                                                                                                                                                                                                                                                                                                                                Start date:17/12/2024
                                                                                                                                                                                                                                                                                                                                                                                Path:C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                                                                                                                                                                                Commandline:taskkill /F /IM brave.exe /T
                                                                                                                                                                                                                                                                                                                                                                                Imagebase:0xe00000
                                                                                                                                                                                                                                                                                                                                                                                File size:74'240 bytes
                                                                                                                                                                                                                                                                                                                                                                                MD5 hash:CA313FD7E6C2A778FFD21CFB5C1C56CD
                                                                                                                                                                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                                                                                                                                                                Target ID:11
                                                                                                                                                                                                                                                                                                                                                                                Start time:04:20:09
                                                                                                                                                                                                                                                                                                                                                                                Start date:17/12/2024
                                                                                                                                                                                                                                                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                                                                                                                                Imagebase:0x7ff70f010000
                                                                                                                                                                                                                                                                                                                                                                                File size:862'208 bytes
                                                                                                                                                                                                                                                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                                                                                                                                                                Target ID:12
                                                                                                                                                                                                                                                                                                                                                                                Start time:04:20:10
                                                                                                                                                                                                                                                                                                                                                                                Start date:17/12/2024
                                                                                                                                                                                                                                                                                                                                                                                Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                                                                                                                                                                Commandline:"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
                                                                                                                                                                                                                                                                                                                                                                                Imagebase:0x7ff73feb0000
                                                                                                                                                                                                                                                                                                                                                                                File size:676'768 bytes
                                                                                                                                                                                                                                                                                                                                                                                MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                                                                                                                                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                                                                                                                                                                Target ID:13
                                                                                                                                                                                                                                                                                                                                                                                Start time:04:20:10
                                                                                                                                                                                                                                                                                                                                                                                Start date:17/12/2024
                                                                                                                                                                                                                                                                                                                                                                                Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                                                                                                                                                                Commandline:"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
                                                                                                                                                                                                                                                                                                                                                                                Imagebase:0x7ff73feb0000
                                                                                                                                                                                                                                                                                                                                                                                File size:676'768 bytes
                                                                                                                                                                                                                                                                                                                                                                                MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                                                                                                                                                                                                                                                                                                                                                Has elevated privileges:false
                                                                                                                                                                                                                                                                                                                                                                                Has administrator privileges:false
                                                                                                                                                                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                                                                                                                                                                Target ID:14
                                                                                                                                                                                                                                                                                                                                                                                Start time:04:20:10
                                                                                                                                                                                                                                                                                                                                                                                Start date:17/12/2024
                                                                                                                                                                                                                                                                                                                                                                                Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                                                                                                                                                                Commandline:"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
                                                                                                                                                                                                                                                                                                                                                                                Imagebase:0x7ff73feb0000
                                                                                                                                                                                                                                                                                                                                                                                File size:676'768 bytes
                                                                                                                                                                                                                                                                                                                                                                                MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                                                                                                                                                                                                                                                                                                                                                Has elevated privileges:false
                                                                                                                                                                                                                                                                                                                                                                                Has administrator privileges:false
                                                                                                                                                                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                                                                                                                                Has exited:false

                                                                                                                                                                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                                                                                                                                                                Target ID:16
                                                                                                                                                                                                                                                                                                                                                                                Start time:04:20:11
                                                                                                                                                                                                                                                                                                                                                                                Start date:17/12/2024
                                                                                                                                                                                                                                                                                                                                                                                Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                                                                                                                                                                Commandline:"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2296 -parentBuildID 20230927232528 -prefsHandle 2228 -prefMapHandle 2208 -prefsLen 25315 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c2fc85f1-1a2d-4561-b18f-bae297b79c3b} 8000 "\\.\pipe\gecko-crash-server-pipe.8000" 1174be6e310 socket
                                                                                                                                                                                                                                                                                                                                                                                Imagebase:0x7ff73feb0000
                                                                                                                                                                                                                                                                                                                                                                                File size:676'768 bytes
                                                                                                                                                                                                                                                                                                                                                                                MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                                                                                                                                                                                                                                                                                                                                                Has elevated privileges:false
                                                                                                                                                                                                                                                                                                                                                                                Has administrator privileges:false
                                                                                                                                                                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                                                                                                                                Has exited:false

                                                                                                                                                                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                                                                                                                                                                Target ID:18
                                                                                                                                                                                                                                                                                                                                                                                Start time:04:20:12
                                                                                                                                                                                                                                                                                                                                                                                Start date:17/12/2024
                                                                                                                                                                                                                                                                                                                                                                                Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                                                                                                                                                                Commandline:"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3808 -parentBuildID 20230927232528 -prefsHandle 3792 -prefMapHandle 3840 -prefsLen 26330 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c5bf1d68-33a4-4d18-a21d-584b68b3679b} 8000 "\\.\pipe\gecko-crash-server-pipe.8000" 1175beefd10 rdd
                                                                                                                                                                                                                                                                                                                                                                                Imagebase:0x7ff73feb0000
                                                                                                                                                                                                                                                                                                                                                                                File size:676'768 bytes
                                                                                                                                                                                                                                                                                                                                                                                MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                                                                                                                                                                                                                                                                                                                                                Has elevated privileges:false
                                                                                                                                                                                                                                                                                                                                                                                Has administrator privileges:false
                                                                                                                                                                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                                                                                                                                Has exited:false

                                                                                                                                                                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                                                                                                                                                                Target ID:19
                                                                                                                                                                                                                                                                                                                                                                                Start time:04:20:17
                                                                                                                                                                                                                                                                                                                                                                                Start date:17/12/2024
                                                                                                                                                                                                                                                                                                                                                                                Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                                                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                                                                                                                                                                Commandline:"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4556 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 3768 -prefMapHandle 4508 -prefsLen 33141 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a151f8c8-1b7f-4b6c-8e13-c9b62c2c0a41} 8000 "\\.\pipe\gecko-crash-server-pipe.8000" 1176405a510 utility
                                                                                                                                                                                                                                                                                                                                                                                Imagebase:0x7ff73feb0000
                                                                                                                                                                                                                                                                                                                                                                                File size:676'768 bytes
                                                                                                                                                                                                                                                                                                                                                                                MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                                                                                                                                                                                                                                                                                                                                                Has elevated privileges:false
                                                                                                                                                                                                                                                                                                                                                                                Has administrator privileges:false
                                                                                                                                                                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                                                                                                                                Has exited:false

                                                                                                                                                                                                                                                                                                                                                                                Disassembly

                                                                                                                                                                                                                                                                                                                                                                                Reset < >

                                                                                                                                                                                                                                                                                                                                                                                  Execution Graph

                                                                                                                                                                                                                                                                                                                                                                                  Execution Coverage:2.5%
                                                                                                                                                                                                                                                                                                                                                                                  Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                                                                                                                                                                                                  Signature Coverage:4.1%
                                                                                                                                                                                                                                                                                                                                                                                  Total number of Nodes:1739
                                                                                                                                                                                                                                                                                                                                                                                  Total number of Limit Nodes:48
                                                                                                                                                                                                                                                                                                                                                                                  execution_graph 96387 ba03fb 96388 ba0407 __FrameHandler3::FrameUnwindToState 96387->96388 96416 b9feb1 96388->96416 96390 ba040e 96391 ba0561 96390->96391 96394 ba0438 96390->96394 96446 ba083f IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 96391->96446 96393 ba0568 96439 ba4e52 96393->96439 96405 ba0477 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 96394->96405 96427 bb247d 96394->96427 96401 ba0457 96403 ba04d8 96435 ba0959 96403->96435 96405->96403 96442 ba4e1a 38 API calls 3 library calls 96405->96442 96407 ba04de 96408 ba04f3 96407->96408 96443 ba0992 GetModuleHandleW 96408->96443 96410 ba04fa 96410->96393 96411 ba04fe 96410->96411 96412 ba0507 96411->96412 96444 ba4df5 28 API calls _abort 96411->96444 96445 ba0040 13 API calls 2 library calls 96412->96445 96415 ba050f 96415->96401 96417 b9feba 96416->96417 96448 ba0698 IsProcessorFeaturePresent 96417->96448 96419 b9fec6 96449 ba2c94 10 API calls 3 library calls 96419->96449 96421 b9fecb 96426 b9fecf 96421->96426 96450 bb2317 IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 96421->96450 96423 b9fed8 96424 b9fee6 96423->96424 96451 ba2cbd 8 API calls 3 library calls 96423->96451 96424->96390 96426->96390 96428 bb2494 96427->96428 96452 ba0a8c 96428->96452 96430 ba0451 96430->96401 96431 bb2421 96430->96431 96432 bb2450 96431->96432 96433 ba0a8c CatchGuardHandler 5 API calls 96432->96433 96434 bb2479 96433->96434 96434->96405 96460 ba2340 96435->96460 96438 ba097f 96438->96407 96462 ba4bcf 96439->96462 96442->96403 96443->96410 96444->96412 96445->96415 96446->96393 96448->96419 96449->96421 96450->96423 96451->96426 96453 ba0a97 IsProcessorFeaturePresent 96452->96453 96454 ba0a95 96452->96454 96456 ba0c5d 96453->96456 96454->96430 96459 ba0c21 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 96456->96459 96458 ba0d40 96458->96430 96459->96458 96461 ba096c GetStartupInfoW 96460->96461 96461->96438 96463 ba4bdb FindHandler 96462->96463 96464 ba4be2 96463->96464 96465 ba4bf4 96463->96465 96501 ba4d29 GetModuleHandleW 96464->96501 96486 bb2f5e EnterCriticalSection 96465->96486 96468 ba4be7 96468->96465 96502 ba4d6d GetModuleHandleExW 96468->96502 96469 ba4c99 96490 ba4cd9 96469->96490 96473 ba4c70 96477 ba4c88 96473->96477 96481 bb2421 _abort 5 API calls 96473->96481 96475 ba4ce2 96510 bc1d29 5 API calls CatchGuardHandler 96475->96510 96476 ba4cb6 96493 ba4ce8 96476->96493 96482 bb2421 _abort 5 API calls 96477->96482 96481->96477 96482->96469 96483 ba4bfb 96483->96469 96483->96473 96487 bb21a8 96483->96487 96486->96483 96511 bb1ee1 96487->96511 96537 bb2fa6 LeaveCriticalSection 96490->96537 96492 ba4cb2 96492->96475 96492->96476 96538 bb360c 96493->96538 96496 ba4d16 96499 ba4d6d _abort 8 API calls 96496->96499 96497 ba4cf6 GetPEB 96497->96496 96498 ba4d06 GetCurrentProcess TerminateProcess 96497->96498 96498->96496 96500 ba4d1e ExitProcess 96499->96500 96501->96468 96503 ba4dba 96502->96503 96504 ba4d97 GetProcAddress 96502->96504 96506 ba4dc9 96503->96506 96507 ba4dc0 FreeLibrary 96503->96507 96505 ba4dac 96504->96505 96505->96503 96508 ba0a8c CatchGuardHandler 5 API calls 96506->96508 96507->96506 96509 ba4bf3 96508->96509 96509->96465 96514 bb1e90 96511->96514 96513 bb1f05 96513->96473 96515 bb1e9c __FrameHandler3::FrameUnwindToState 96514->96515 96522 bb2f5e EnterCriticalSection 96515->96522 96517 bb1eaa 96523 bb1f31 96517->96523 96521 bb1ec8 __fread_nolock 96521->96513 96522->96517 96524 bb1f59 96523->96524 96525 bb1f51 96523->96525 96524->96525 96530 bb29c8 96524->96530 96526 ba0a8c CatchGuardHandler 5 API calls 96525->96526 96527 bb1eb7 96526->96527 96529 bb1ed5 LeaveCriticalSection _abort 96527->96529 96529->96521 96531 bb29d3 RtlFreeHeap 96530->96531 96532 bb29fc _free 96530->96532 96531->96532 96533 bb29e8 96531->96533 96532->96525 96536 baf2d9 20 API calls _free 96533->96536 96535 bb29ee GetLastError 96535->96532 96536->96535 96537->96492 96539 bb3631 96538->96539 96540 bb3627 96538->96540 96545 bb2fd7 5 API calls 2 library calls 96539->96545 96542 ba0a8c CatchGuardHandler 5 API calls 96540->96542 96543 ba4cf2 96542->96543 96543->96496 96543->96497 96544 bb3648 96544->96540 96545->96544 96546 b8defc 96549 b81d6f 96546->96549 96548 b8df07 96550 b81d8c 96549->96550 96558 b81f6f 96550->96558 96552 b81da6 96553 bc2759 96552->96553 96555 b81e36 96552->96555 96556 b81dc2 96552->96556 96562 bf359c 82 API calls __wsopen_s 96553->96562 96555->96548 96556->96555 96561 b8289a 23 API calls 96556->96561 96563 b8ec40 96558->96563 96560 b81f98 96560->96552 96561->96555 96562->96555 96566 b8ec76 ISource 96563->96566 96564 ba0242 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 96564->96566 96565 ba00a3 29 API calls pre_c_initialization 96565->96566 96566->96564 96566->96565 96567 ba01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 96566->96567 96569 b9fddb 22 API calls 96566->96569 96570 b8fef7 96566->96570 96572 bd4b0b 96566->96572 96573 b8a8c7 22 API calls 96566->96573 96574 bd4600 96566->96574 96580 b8fbe3 96566->96580 96581 b8a961 22 API calls 96566->96581 96582 b8ed9d ISource 96566->96582 96585 bd4beb 96566->96585 96586 b8f3ae ISource 96566->96586 96587 b901e0 96566->96587 96648 b906a0 41 API calls ISource 96566->96648 96567->96566 96569->96566 96570->96582 96650 b8a8c7 22 API calls __fread_nolock 96570->96650 96652 bf359c 82 API calls __wsopen_s 96572->96652 96573->96566 96574->96582 96649 b8a8c7 22 API calls __fread_nolock 96574->96649 96580->96582 96583 bd4bdc 96580->96583 96580->96586 96581->96566 96582->96560 96653 bf359c 82 API calls __wsopen_s 96583->96653 96654 bf359c 82 API calls __wsopen_s 96585->96654 96586->96582 96651 bf359c 82 API calls __wsopen_s 96586->96651 96588 b90206 96587->96588 96604 b9027e 96587->96604 96589 bd5411 96588->96589 96590 b90213 96588->96590 96728 c07b7e 348 API calls 2 library calls 96589->96728 96597 bd5435 96590->96597 96600 b9021d 96590->96600 96592 bd5405 96727 bf359c 82 API calls __wsopen_s 96592->96727 96593 bd5466 96598 bd5471 96593->96598 96599 bd5493 96593->96599 96594 b8ec40 348 API calls 96594->96604 96597->96593 96603 bd544d 96597->96603 96730 c07b7e 348 API calls 2 library calls 96598->96730 96655 c05689 96599->96655 96647 b90230 ISource 96600->96647 96791 b8a8c7 22 API calls __fread_nolock 96600->96791 96602 b90405 96602->96566 96729 bf359c 82 API calls __wsopen_s 96603->96729 96604->96594 96604->96602 96609 bd51b9 96604->96609 96623 b903f9 96604->96623 96628 b90344 96604->96628 96631 bd51ce ISource 96604->96631 96641 b903b2 ISource 96604->96641 96607 bd5332 96607->96647 96726 b8a8c7 22 API calls __fread_nolock 96607->96726 96723 bf359c 82 API calls __wsopen_s 96609->96723 96610 bd568a 96616 bd56c0 96610->96616 96826 c07771 67 API calls 96610->96826 96615 bd5532 96731 bf1119 22 API calls 96615->96731 96620 b8aceb 23 API calls 96616->96620 96617 bd5668 96793 b87510 96617->96793 96643 b90273 ISource 96620->96643 96622 bd569e 96625 b87510 53 API calls 96622->96625 96623->96602 96722 bf359c 82 API calls __wsopen_s 96623->96722 96624 bd54b9 96662 bf0acc 96624->96662 96640 bd56a6 _wcslen 96625->96640 96628->96623 96721 b904f0 22 API calls 96628->96721 96630 bd5544 96732 b8a673 22 API calls 96630->96732 96631->96641 96631->96643 96724 bf359c 82 API calls __wsopen_s 96631->96724 96632 b903a5 96632->96623 96632->96641 96635 bd5670 _wcslen 96635->96610 96816 b8aceb 96635->96816 96637 bd554d 96644 bf0acc 22 API calls 96637->96644 96640->96616 96642 b8aceb 23 API calls 96640->96642 96641->96592 96641->96607 96641->96643 96641->96647 96725 b9a308 348 API calls 96641->96725 96642->96616 96643->96566 96645 bd5566 96644->96645 96733 b8bf40 96645->96733 96647->96610 96647->96643 96792 c07632 54 API calls __wsopen_s 96647->96792 96648->96566 96649->96582 96650->96582 96651->96582 96652->96582 96653->96585 96654->96582 96656 bd549e 96655->96656 96657 c056a4 96655->96657 96656->96615 96656->96624 96827 b9fe0b 96657->96827 96660 c056c6 96660->96656 96837 b9fddb 96660->96837 96847 bf0a59 96660->96847 96663 bf0ada 96662->96663 96665 bd54e3 96662->96665 96664 b9fddb 22 API calls 96663->96664 96663->96665 96664->96665 96666 b91310 96665->96666 96667 b917b0 96666->96667 96668 b91376 96666->96668 96905 ba0242 5 API calls __Init_thread_wait 96667->96905 96669 b91390 96668->96669 96670 bd6331 96668->96670 96866 b91940 96669->96866 96673 bd633d 96670->96673 96915 c0709c 348 API calls 96670->96915 96673->96647 96675 b917ba 96677 b917fb 96675->96677 96906 b89cb3 96675->96906 96681 bd6346 96677->96681 96683 b9182c 96677->96683 96678 b91940 9 API calls 96680 b913b6 96678->96680 96680->96677 96682 b913ec 96680->96682 96916 bf359c 82 API calls __wsopen_s 96681->96916 96682->96681 96706 b91408 __fread_nolock 96682->96706 96685 b8aceb 23 API calls 96683->96685 96687 b91839 96685->96687 96686 b917d4 96912 ba01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 96686->96912 96913 b9d217 348 API calls 96687->96913 96690 bd636e 96917 bf359c 82 API calls __wsopen_s 96690->96917 96691 b9152f 96693 b9153c 96691->96693 96694 bd63d1 96691->96694 96696 b91940 9 API calls 96693->96696 96919 c05745 54 API calls _wcslen 96694->96919 96697 b91549 96696->96697 96703 b91940 9 API calls 96697->96703 96712 b915c7 ISource 96697->96712 96698 b9fddb 22 API calls 96698->96706 96699 b91872 96914 b9faeb 23 API calls 96699->96914 96700 b9fe0b 22 API calls 96700->96706 96701 b9171d 96701->96647 96707 b91563 96703->96707 96705 b8ec40 348 API calls 96705->96706 96706->96687 96706->96690 96706->96691 96706->96698 96706->96700 96706->96705 96711 bd63b2 96706->96711 96706->96712 96707->96712 96920 b8a8c7 22 API calls __fread_nolock 96707->96920 96708 b9167b ISource 96708->96701 96904 b9ce17 22 API calls ISource 96708->96904 96710 b91940 9 API calls 96710->96712 96918 bf359c 82 API calls __wsopen_s 96711->96918 96712->96699 96712->96708 96712->96710 96876 c0abf7 96712->96876 96881 bf5c5a 96712->96881 96886 c0a2ea 96712->96886 96891 c0ab67 96712->96891 96894 b9f645 96712->96894 96901 c11591 96712->96901 96921 bf359c 82 API calls __wsopen_s 96712->96921 96721->96632 96722->96643 96723->96631 96724->96641 96725->96641 96726->96647 96727->96589 96728->96647 96729->96643 96730->96647 96731->96630 96732->96637 97114 b8adf0 96733->97114 96735 b8bf9d 96736 b8bfa9 96735->96736 96737 bd04b6 96735->96737 96738 bd04c6 96736->96738 96739 b8c01e 96736->96739 97132 bf359c 82 API calls __wsopen_s 96737->97132 97133 bf359c 82 API calls __wsopen_s 96738->97133 97119 b8ac91 96739->97119 96743 b8c603 96743->96647 96745 be7120 22 API calls 96763 b8c039 ISource __fread_nolock 96745->96763 96746 b8c7da 96749 b9fe0b 22 API calls 96746->96749 96754 b8c808 __fread_nolock 96749->96754 96751 bd04f5 96755 bd055a 96751->96755 97134 b9d217 348 API calls 96751->97134 96758 b9fe0b 22 API calls 96754->96758 96755->96743 97135 bf359c 82 API calls __wsopen_s 96755->97135 96756 b8ec40 348 API calls 96756->96763 96757 b9fddb 22 API calls 96757->96763 96764 b8c350 ISource __fread_nolock 96758->96764 96759 b8af8a 22 API calls 96759->96763 96760 bd091a 97163 bf3209 23 API calls 96760->97163 96763->96743 96763->96745 96763->96746 96763->96751 96763->96754 96763->96755 96763->96756 96763->96757 96763->96759 96763->96760 96765 bd08a5 96763->96765 96769 bd0591 96763->96769 96773 bd08f6 96763->96773 96774 b8bbe0 40 API calls 96763->96774 96777 b8c237 96763->96777 96778 b8aceb 23 API calls 96763->96778 96786 bd09bf 96763->96786 96790 b9fe0b 22 API calls 96763->96790 97123 b8ad81 96763->97123 97137 be7099 22 API calls __fread_nolock 96763->97137 97138 c05745 54 API calls _wcslen 96763->97138 97139 b9aa42 22 API calls ISource 96763->97139 97140 bef05c 40 API calls 96763->97140 97141 b8a993 96763->97141 96776 b8c3ac 96764->96776 97131 b9ce17 22 API calls ISource 96764->97131 96766 b8ec40 348 API calls 96765->96766 96767 bd08cf 96766->96767 96767->96743 97158 b8a81b 96767->97158 97136 bf359c 82 API calls __wsopen_s 96769->97136 97162 bf359c 82 API calls __wsopen_s 96773->97162 96774->96763 96776->96647 96781 b8c253 96777->96781 97164 b8a8c7 22 API calls __fread_nolock 96777->97164 96778->96763 96780 bd0976 96783 b8aceb 23 API calls 96780->96783 96781->96780 96784 b8c297 ISource 96781->96784 96783->96786 96785 b8aceb 23 API calls 96784->96785 96784->96786 96787 b8c335 96785->96787 96786->96743 97165 bf359c 82 API calls __wsopen_s 96786->97165 96787->96786 96788 b8c342 96787->96788 97130 b8a704 22 API calls ISource 96788->97130 96790->96763 96791->96647 96792->96617 96794 b87522 96793->96794 96795 b87525 96793->96795 96794->96635 96796 b8755b 96795->96796 96797 b8752d 96795->96797 96799 bc50f6 96796->96799 96802 b8756d 96796->96802 96807 bc500f 96796->96807 97193 ba51c6 26 API calls 96797->97193 97196 ba5183 26 API calls 96799->97196 96800 b8753d 96806 b9fddb 22 API calls 96800->96806 97194 b9fb21 51 API calls 96802->97194 96803 bc510e 96803->96803 96808 b87547 96806->96808 96810 b9fe0b 22 API calls 96807->96810 96811 bc5088 96807->96811 96809 b89cb3 22 API calls 96808->96809 96809->96794 96812 bc5058 96810->96812 97195 b9fb21 51 API calls 96811->97195 96813 b9fddb 22 API calls 96812->96813 96814 bc507f 96813->96814 96815 b89cb3 22 API calls 96814->96815 96815->96811 96817 b8acf9 96816->96817 96821 b8ad2a ISource 96816->96821 96818 b8ad55 96817->96818 96820 b8ad01 ISource 96817->96820 96818->96821 97197 b8a8c7 22 API calls __fread_nolock 96818->97197 96820->96821 96822 bcfa48 96820->96822 96823 b8ad21 96820->96823 96821->96610 96822->96821 97198 b9ce17 22 API calls ISource 96822->97198 96823->96821 96824 bcfa3a VariantClear 96823->96824 96824->96821 96826->96622 96830 b9fddb 96827->96830 96829 b9fdfa 96829->96660 96830->96829 96833 b9fdfc 96830->96833 96851 baea0c 96830->96851 96858 ba4ead 7 API calls 2 library calls 96830->96858 96832 ba066d 96860 ba32a4 RaiseException 96832->96860 96833->96832 96859 ba32a4 RaiseException 96833->96859 96836 ba068a 96836->96660 96840 b9fde0 96837->96840 96838 baea0c ___std_exception_copy 21 API calls 96838->96840 96839 b9fdfa 96839->96660 96840->96838 96840->96839 96843 b9fdfc 96840->96843 96863 ba4ead 7 API calls 2 library calls 96840->96863 96842 ba066d 96865 ba32a4 RaiseException 96842->96865 96843->96842 96864 ba32a4 RaiseException 96843->96864 96846 ba068a 96846->96660 96848 bf0a7a 96847->96848 96849 b9fddb 22 API calls 96848->96849 96850 bf0a85 96848->96850 96849->96850 96850->96660 96856 bb3820 _free 96851->96856 96852 bb385e 96862 baf2d9 20 API calls _free 96852->96862 96854 bb3849 RtlAllocateHeap 96855 bb385c 96854->96855 96854->96856 96855->96830 96856->96852 96856->96854 96861 ba4ead 7 API calls 2 library calls 96856->96861 96858->96830 96859->96832 96860->96836 96861->96856 96862->96855 96863->96840 96864->96842 96865->96846 96867 b91981 96866->96867 96875 b9195d 96866->96875 96922 ba0242 5 API calls __Init_thread_wait 96867->96922 96868 b913a0 96868->96678 96871 b9198b 96871->96875 96923 ba01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 96871->96923 96872 b98727 96872->96868 96925 ba01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 96872->96925 96875->96868 96924 ba0242 5 API calls __Init_thread_wait 96875->96924 96926 c0aff9 96876->96926 96878 c0ac54 96878->96712 96879 c0ac0c 96879->96878 96880 b8aceb 23 API calls 96879->96880 96880->96878 96882 b87510 53 API calls 96881->96882 96883 bf5c6d 96882->96883 97054 bedbbe lstrlenW 96883->97054 96885 bf5c77 96885->96712 96887 b87510 53 API calls 96886->96887 96888 c0a306 96887->96888 97059 bed4dc CreateToolhelp32Snapshot Process32FirstW 96888->97059 96890 c0a315 96890->96712 96892 c0aff9 217 API calls 96891->96892 96893 c0ab79 96892->96893 96893->96712 96895 b8b567 39 API calls 96894->96895 96896 b9f659 96895->96896 96897 bdf2dc Sleep 96896->96897 96898 b9f661 timeGetTime 96896->96898 96899 b8b567 39 API calls 96898->96899 96900 b9f677 96899->96900 96900->96712 97080 c12ad8 96901->97080 96903 c1159f 96903->96712 96904->96708 96905->96675 96907 b89cc2 _wcslen 96906->96907 96908 b9fe0b 22 API calls 96907->96908 96909 b89cea __fread_nolock 96908->96909 96910 b9fddb 22 API calls 96909->96910 96911 b89d00 96910->96911 96911->96686 96912->96677 96913->96699 96914->96699 96915->96673 96916->96712 96917->96712 96918->96712 96919->96707 96920->96712 96921->96712 96922->96871 96923->96875 96924->96872 96925->96868 96927 c0b01d ___scrt_fastfail 96926->96927 96928 c0b094 96927->96928 96929 c0b058 96927->96929 96933 b8b567 39 API calls 96928->96933 96934 c0b08b 96928->96934 97024 b8b567 96929->97024 96931 c0b063 96931->96934 96937 b8b567 39 API calls 96931->96937 96932 c0b0ed 96935 b87510 53 API calls 96932->96935 96936 c0b0a5 96933->96936 96934->96932 96938 b8b567 39 API calls 96934->96938 96939 c0b10b 96935->96939 96940 b8b567 39 API calls 96936->96940 96941 c0b078 96937->96941 96938->96932 97017 b87620 96939->97017 96940->96934 96943 b8b567 39 API calls 96941->96943 96943->96934 96944 c0b115 96945 c0b1d8 96944->96945 96946 c0b11f 96944->96946 96947 c0b20a GetCurrentDirectoryW 96945->96947 96949 b87510 53 API calls 96945->96949 96948 b87510 53 API calls 96946->96948 96950 b9fe0b 22 API calls 96947->96950 96951 c0b130 96948->96951 96952 c0b1ef 96949->96952 96953 c0b22f GetCurrentDirectoryW 96950->96953 96954 b87620 22 API calls 96951->96954 96957 b87620 22 API calls 96952->96957 96955 c0b23c 96953->96955 96956 c0b13a 96954->96956 96960 c0b275 96955->96960 97029 b89c6e 22 API calls 96955->97029 96958 b87510 53 API calls 96956->96958 96959 c0b1f9 _wcslen 96957->96959 96961 c0b14b 96958->96961 96959->96947 96959->96960 96968 c0b287 96960->96968 96969 c0b28b 96960->96969 96963 b87620 22 API calls 96961->96963 96965 c0b155 96963->96965 96964 c0b255 97030 b89c6e 22 API calls 96964->97030 96967 b87510 53 API calls 96965->96967 96971 c0b166 96967->96971 96973 c0b2f8 96968->96973 96974 c0b39a CreateProcessW 96968->96974 97032 bf07c0 10 API calls 96969->97032 96970 c0b265 97031 b89c6e 22 API calls 96970->97031 96976 b87620 22 API calls 96971->96976 97035 be11c8 39 API calls 96973->97035 96994 c0b32f _wcslen 96974->96994 96979 c0b170 96976->96979 96977 c0b294 97033 bf06e6 10 API calls 96977->97033 96983 c0b1a6 GetSystemDirectoryW 96979->96983 96988 b87510 53 API calls 96979->96988 96981 c0b2aa 97034 bf05a7 8 API calls 96981->97034 96982 c0b2fd 96986 c0b323 96982->96986 96987 c0b32a 96982->96987 96985 b9fe0b 22 API calls 96983->96985 96990 c0b1cb GetSystemDirectoryW 96985->96990 97036 be1201 128 API calls 2 library calls 96986->97036 97037 be14ce 6 API calls 96987->97037 96992 c0b187 96988->96992 96989 c0b2d0 96989->96968 96990->96955 96996 b87620 22 API calls 96992->96996 96997 c0b42f CloseHandle 96994->96997 97003 c0b3d6 GetLastError 96994->97003 96995 c0b328 96995->96994 96999 c0b191 _wcslen 96996->96999 96998 c0b43f 96997->96998 97010 c0b49a 96997->97010 97000 c0b451 96998->97000 97001 c0b446 CloseHandle 96998->97001 96999->96955 96999->96983 97004 c0b463 97000->97004 97005 c0b458 CloseHandle 97000->97005 97001->97000 97009 c0b41a 97003->97009 97007 c0b475 97004->97007 97008 c0b46a CloseHandle 97004->97008 97005->97004 97006 c0b4a6 97006->97009 97038 bf09d9 34 API calls 97007->97038 97008->97007 97021 bf0175 97009->97021 97010->97006 97013 c0b4d2 CloseHandle 97010->97013 97013->97009 97015 c0b486 97039 c0b536 25 API calls 97015->97039 97018 b8762a _wcslen 97017->97018 97019 b9fe0b 22 API calls 97018->97019 97020 b8763f 97019->97020 97020->96944 97040 bf030f 97021->97040 97025 b8b578 97024->97025 97026 b8b57f 97024->97026 97025->97026 97053 ba62d1 39 API calls _strftime 97025->97053 97026->96931 97028 b8b5c2 97028->96931 97029->96964 97030->96970 97031->96960 97032->96977 97033->96981 97034->96989 97035->96982 97036->96995 97037->96994 97038->97015 97039->97010 97041 bf0329 97040->97041 97042 bf0321 CloseHandle 97040->97042 97043 bf032e CloseHandle 97041->97043 97044 bf0336 97041->97044 97042->97041 97043->97044 97045 bf033b CloseHandle 97044->97045 97046 bf0343 97044->97046 97045->97046 97047 bf0348 CloseHandle 97046->97047 97048 bf0350 97046->97048 97047->97048 97049 bf035d 97048->97049 97050 bf0355 CloseHandle 97048->97050 97051 bf017d 97049->97051 97052 bf0362 CloseHandle 97049->97052 97050->97049 97051->96879 97052->97051 97053->97028 97055 bedbdc GetFileAttributesW 97054->97055 97056 bedc06 97054->97056 97055->97056 97057 bedbe8 FindFirstFileW 97055->97057 97056->96885 97057->97056 97058 bedbf9 FindClose 97057->97058 97058->97056 97069 bedef7 97059->97069 97061 bed5db CloseHandle 97061->96890 97062 bed529 Process32NextW 97062->97061 97063 bed522 97062->97063 97063->97061 97063->97062 97064 b8a961 22 API calls 97063->97064 97065 b89cb3 22 API calls 97063->97065 97075 b8525f 22 API calls 97063->97075 97076 b86350 22 API calls 97063->97076 97077 b9ce60 41 API calls 97063->97077 97064->97063 97065->97063 97073 bedf02 97069->97073 97070 bedf19 97079 ba62fb 39 API calls _strftime 97070->97079 97073->97070 97074 bedf1f 97073->97074 97078 ba63b2 GetStringTypeW _strftime 97073->97078 97074->97063 97075->97063 97076->97063 97077->97063 97078->97073 97079->97074 97081 b8aceb 23 API calls 97080->97081 97082 c12af3 97081->97082 97083 c12b1d 97082->97083 97084 c12aff 97082->97084 97091 b86b57 97083->97091 97085 b87510 53 API calls 97084->97085 97087 c12b0c 97085->97087 97088 c12b1b 97087->97088 97090 b8a8c7 22 API calls __fread_nolock 97087->97090 97088->96903 97090->97088 97092 bc4ba1 97091->97092 97093 b86b67 _wcslen 97091->97093 97104 b893b2 97092->97104 97096 b86b7d 97093->97096 97097 b86ba2 97093->97097 97095 bc4baa 97095->97095 97103 b86f34 22 API calls 97096->97103 97099 b9fddb 22 API calls 97097->97099 97101 b86bae 97099->97101 97100 b86b85 __fread_nolock 97100->97088 97102 b9fe0b 22 API calls 97101->97102 97102->97100 97103->97100 97105 b893c0 97104->97105 97107 b893c9 __fread_nolock 97104->97107 97105->97107 97108 b8aec9 97105->97108 97107->97095 97109 b8aedc 97108->97109 97113 b8aed9 __fread_nolock 97108->97113 97110 b9fddb 22 API calls 97109->97110 97111 b8aee7 97110->97111 97112 b9fe0b 22 API calls 97111->97112 97112->97113 97113->97107 97115 b8ae01 97114->97115 97118 b8ae1c ISource 97114->97118 97116 b8aec9 22 API calls 97115->97116 97117 b8ae09 CharUpperBuffW 97116->97117 97117->97118 97118->96735 97120 b8acae 97119->97120 97121 b8acd1 97120->97121 97166 bf359c 82 API calls __wsopen_s 97120->97166 97121->96763 97124 bcfadb 97123->97124 97125 b8ad92 97123->97125 97126 b9fddb 22 API calls 97125->97126 97127 b8ad99 97126->97127 97167 b8adcd 97127->97167 97130->96764 97131->96764 97132->96738 97133->96743 97134->96755 97135->96743 97136->96743 97137->96763 97138->96763 97139->96763 97140->96763 97180 b8bbe0 97141->97180 97143 b8a9a3 97144 bcf8c8 97143->97144 97145 b8a9b1 97143->97145 97146 b8aceb 23 API calls 97144->97146 97147 b9fddb 22 API calls 97145->97147 97148 bcf8d3 97146->97148 97149 b8a9c2 97147->97149 97150 b8a961 22 API calls 97149->97150 97151 b8a9cc 97150->97151 97152 b8a9db 97151->97152 97188 b8a8c7 22 API calls __fread_nolock 97151->97188 97154 b9fddb 22 API calls 97152->97154 97155 b8a9e5 97154->97155 97189 b8a869 40 API calls 97155->97189 97157 b8aa09 97157->96763 97159 b8a826 97158->97159 97160 b8a855 97159->97160 97161 b8a993 41 API calls 97159->97161 97160->96773 97161->97160 97162->96743 97163->96777 97164->96781 97165->96743 97166->97121 97171 b8addd 97167->97171 97168 b8adb6 97168->96763 97169 b9fddb 22 API calls 97169->97171 97171->97168 97171->97169 97172 b8adcd 22 API calls 97171->97172 97174 b8a961 97171->97174 97179 b8a8c7 22 API calls __fread_nolock 97171->97179 97172->97171 97175 b9fe0b 22 API calls 97174->97175 97176 b8a976 97175->97176 97177 b9fddb 22 API calls 97176->97177 97178 b8a984 97177->97178 97178->97171 97179->97171 97181 b8be27 97180->97181 97186 b8bbf3 97180->97186 97181->97143 97183 b8bc9d 97183->97143 97184 b8a961 22 API calls 97184->97186 97186->97183 97186->97184 97190 ba0242 5 API calls __Init_thread_wait 97186->97190 97191 ba00a3 29 API calls __onexit 97186->97191 97192 ba01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 97186->97192 97188->97152 97189->97157 97190->97186 97191->97186 97192->97186 97193->96800 97194->96800 97195->96799 97196->96803 97197->96821 97198->96821 97199 bdd27a GetUserNameW 97200 bdd292 97199->97200 97201 bd3f75 97212 b9ceb1 97201->97212 97203 bd3f8b 97204 bd4006 97203->97204 97221 b9e300 23 API calls 97203->97221 97206 b8bf40 348 API calls 97204->97206 97210 bd4052 97206->97210 97208 bd3fe6 97208->97210 97222 bf1abf 22 API calls 97208->97222 97209 bd4a88 97210->97209 97223 bf359c 82 API calls __wsopen_s 97210->97223 97213 b9cebf 97212->97213 97214 b9ced2 97212->97214 97215 b8aceb 23 API calls 97213->97215 97216 b9cf05 97214->97216 97217 b9ced7 97214->97217 97220 b9cec9 97215->97220 97219 b8aceb 23 API calls 97216->97219 97218 b9fddb 22 API calls 97217->97218 97218->97220 97219->97220 97220->97203 97221->97208 97222->97204 97223->97209 97224 b81033 97229 b84c91 97224->97229 97228 b81042 97230 b8a961 22 API calls 97229->97230 97231 b84cff 97230->97231 97237 b83af0 97231->97237 97234 b84d9c 97235 b81038 97234->97235 97240 b851f7 22 API calls __fread_nolock 97234->97240 97236 ba00a3 29 API calls __onexit 97235->97236 97236->97228 97241 b83b1c 97237->97241 97240->97234 97242 b83b0f 97241->97242 97243 b83b29 97241->97243 97242->97234 97243->97242 97244 b83b30 RegOpenKeyExW 97243->97244 97244->97242 97245 b83b4a RegQueryValueExW 97244->97245 97246 b83b80 RegCloseKey 97245->97246 97247 b83b6b 97245->97247 97246->97242 97247->97246 97248 b8fe73 97249 b9ceb1 23 API calls 97248->97249 97250 b8fe89 97249->97250 97255 b9cf92 97250->97255 97252 b8feb3 97267 bf359c 82 API calls __wsopen_s 97252->97267 97254 bd4ab8 97268 b86270 97255->97268 97257 b9cfc9 97258 b89cb3 22 API calls 97257->97258 97260 b9cffa 97257->97260 97259 bdd166 97258->97259 97273 b86350 22 API calls 97259->97273 97260->97252 97262 bdd171 97274 b9d2f0 40 API calls 97262->97274 97264 bdd184 97265 b8aceb 23 API calls 97264->97265 97266 bdd188 97264->97266 97265->97266 97266->97266 97267->97254 97269 b9fe0b 22 API calls 97268->97269 97270 b86295 97269->97270 97271 b9fddb 22 API calls 97270->97271 97272 b862a3 97271->97272 97272->97257 97273->97262 97274->97264 97275 b82e37 97276 b8a961 22 API calls 97275->97276 97277 b82e4d 97276->97277 97354 b84ae3 97277->97354 97279 b82e6b 97368 b83a5a 97279->97368 97281 b82e7f 97282 b89cb3 22 API calls 97281->97282 97283 b82e8c 97282->97283 97375 b84ecb 97283->97375 97286 b82ead 97397 b8a8c7 22 API calls __fread_nolock 97286->97397 97287 bc2cb0 97413 bf2cf9 97287->97413 97289 bc2cc3 97291 bc2ccf 97289->97291 97439 b84f39 97289->97439 97295 b84f39 68 API calls 97291->97295 97292 b82ec3 97398 b86f88 22 API calls 97292->97398 97297 bc2ce5 97295->97297 97296 b82ecf 97298 b89cb3 22 API calls 97296->97298 97445 b83084 22 API calls 97297->97445 97299 b82edc 97298->97299 97300 b8a81b 41 API calls 97299->97300 97302 b82eec 97300->97302 97304 b89cb3 22 API calls 97302->97304 97303 bc2d02 97446 b83084 22 API calls 97303->97446 97305 b82f12 97304->97305 97307 b8a81b 41 API calls 97305->97307 97311 b82f21 97307->97311 97308 bc2d1e 97309 b83a5a 24 API calls 97308->97309 97310 bc2d44 97309->97310 97447 b83084 22 API calls 97310->97447 97314 b8a961 22 API calls 97311->97314 97313 bc2d50 97448 b8a8c7 22 API calls __fread_nolock 97313->97448 97316 b82f3f 97314->97316 97399 b83084 22 API calls 97316->97399 97317 bc2d5e 97449 b83084 22 API calls 97317->97449 97320 b82f4b 97400 ba4a28 40 API calls 3 library calls 97320->97400 97321 bc2d6d 97450 b8a8c7 22 API calls __fread_nolock 97321->97450 97323 b82f59 97323->97297 97324 b82f63 97323->97324 97401 ba4a28 40 API calls 3 library calls 97324->97401 97327 b82f6e 97327->97303 97329 b82f78 97327->97329 97328 bc2d83 97451 b83084 22 API calls 97328->97451 97402 ba4a28 40 API calls 3 library calls 97329->97402 97332 bc2d90 97333 b82f83 97333->97308 97334 b82f8d 97333->97334 97403 ba4a28 40 API calls 3 library calls 97334->97403 97336 b82f98 97337 b82fdc 97336->97337 97404 b83084 22 API calls 97336->97404 97337->97321 97338 b82fe8 97337->97338 97338->97332 97407 b863eb 22 API calls 97338->97407 97341 b82fbf 97405 b8a8c7 22 API calls __fread_nolock 97341->97405 97342 b82ff8 97408 b86a50 22 API calls 97342->97408 97345 b82fcd 97406 b83084 22 API calls 97345->97406 97346 b83006 97409 b870b0 23 API calls 97346->97409 97351 b83021 97352 b83065 97351->97352 97410 b86f88 22 API calls 97351->97410 97411 b870b0 23 API calls 97351->97411 97412 b83084 22 API calls 97351->97412 97355 b84af0 __wsopen_s 97354->97355 97356 b86b57 22 API calls 97355->97356 97357 b84b22 97355->97357 97356->97357 97359 b84b58 97357->97359 97452 b84c6d 97357->97452 97360 b84c29 97359->97360 97362 b89cb3 22 API calls 97359->97362 97365 b84c6d 22 API calls 97359->97365 97455 b8515f 97359->97455 97361 b89cb3 22 API calls 97360->97361 97364 b84c5e 97360->97364 97363 b84c52 97361->97363 97362->97359 97366 b8515f 22 API calls 97363->97366 97364->97279 97365->97359 97366->97364 97461 bc1f50 97368->97461 97371 b89cb3 22 API calls 97372 b83a8d 97371->97372 97463 b83aa2 97372->97463 97374 b83a97 97374->97281 97483 b84e90 LoadLibraryA 97375->97483 97380 bc3ccf 97382 b84f39 68 API calls 97380->97382 97381 b84ef6 LoadLibraryExW 97491 b84e59 LoadLibraryA 97381->97491 97384 bc3cd6 97382->97384 97386 b84e59 3 API calls 97384->97386 97388 bc3cde 97386->97388 97513 b850f5 97388->97513 97389 b84f20 97389->97388 97390 b84f2c 97389->97390 97391 b84f39 68 API calls 97390->97391 97393 b82ea5 97391->97393 97393->97286 97393->97287 97396 bc3d05 97397->97292 97398->97296 97399->97320 97400->97323 97401->97327 97402->97333 97403->97336 97404->97341 97405->97345 97406->97337 97407->97342 97408->97346 97409->97351 97410->97351 97411->97351 97412->97351 97414 bf2d15 97413->97414 97415 b8511f 64 API calls 97414->97415 97416 bf2d29 97415->97416 97649 bf2e66 97416->97649 97419 b850f5 40 API calls 97420 bf2d56 97419->97420 97421 b850f5 40 API calls 97420->97421 97422 bf2d66 97421->97422 97423 b850f5 40 API calls 97422->97423 97424 bf2d81 97423->97424 97425 b850f5 40 API calls 97424->97425 97426 bf2d9c 97425->97426 97427 b8511f 64 API calls 97426->97427 97428 bf2db3 97427->97428 97429 baea0c ___std_exception_copy 21 API calls 97428->97429 97430 bf2dba 97429->97430 97431 baea0c ___std_exception_copy 21 API calls 97430->97431 97432 bf2dc4 97431->97432 97433 b850f5 40 API calls 97432->97433 97434 bf2dd8 97433->97434 97435 bf28fe 27 API calls 97434->97435 97437 bf2dee 97435->97437 97436 bf2d3f 97436->97289 97437->97436 97655 bf22ce 79 API calls 97437->97655 97440 b84f43 97439->97440 97442 b84f4a 97439->97442 97656 bae678 97440->97656 97443 b84f59 97442->97443 97444 b84f6a FreeLibrary 97442->97444 97443->97291 97444->97443 97445->97303 97446->97308 97447->97313 97448->97317 97449->97321 97450->97328 97451->97332 97453 b8aec9 22 API calls 97452->97453 97454 b84c78 97453->97454 97454->97357 97456 b8516e 97455->97456 97460 b8518f __fread_nolock 97455->97460 97459 b9fe0b 22 API calls 97456->97459 97457 b9fddb 22 API calls 97458 b851a2 97457->97458 97458->97359 97459->97460 97460->97457 97462 b83a67 GetModuleFileNameW 97461->97462 97462->97371 97464 bc1f50 __wsopen_s 97463->97464 97465 b83aaf GetFullPathNameW 97464->97465 97466 b83ae9 97465->97466 97467 b83ace 97465->97467 97477 b8a6c3 97466->97477 97468 b86b57 22 API calls 97467->97468 97470 b83ada 97468->97470 97473 b837a0 97470->97473 97474 b837ae 97473->97474 97475 b893b2 22 API calls 97474->97475 97476 b837c2 97475->97476 97476->97374 97478 b8a6dd 97477->97478 97479 b8a6d0 97477->97479 97480 b9fddb 22 API calls 97478->97480 97479->97470 97481 b8a6e7 97480->97481 97482 b9fe0b 22 API calls 97481->97482 97482->97479 97484 b84ea8 GetProcAddress 97483->97484 97485 b84ec6 97483->97485 97486 b84eb8 97484->97486 97488 bae5eb 97485->97488 97486->97485 97487 b84ebf FreeLibrary 97486->97487 97487->97485 97521 bae52a 97488->97521 97490 b84eea 97490->97380 97490->97381 97492 b84e8d 97491->97492 97493 b84e6e GetProcAddress 97491->97493 97496 b84f80 97492->97496 97494 b84e7e 97493->97494 97494->97492 97495 b84e86 FreeLibrary 97494->97495 97495->97492 97497 b9fe0b 22 API calls 97496->97497 97498 b84f95 97497->97498 97575 b85722 97498->97575 97500 b84fa1 __fread_nolock 97501 bc3d1d 97500->97501 97502 b850a5 97500->97502 97511 b84fdc 97500->97511 97589 bf304d 74 API calls 97501->97589 97578 b842a2 CreateStreamOnHGlobal 97502->97578 97505 bc3d22 97507 b8511f 64 API calls 97505->97507 97506 b850f5 40 API calls 97506->97511 97508 bc3d45 97507->97508 97509 b850f5 40 API calls 97508->97509 97512 b8506e ISource 97509->97512 97511->97505 97511->97506 97511->97512 97584 b8511f 97511->97584 97512->97389 97514 bc3d70 97513->97514 97515 b85107 97513->97515 97611 bae8c4 97515->97611 97518 bf28fe 97632 bf274e 97518->97632 97520 bf2919 97520->97396 97523 bae536 __FrameHandler3::FrameUnwindToState 97521->97523 97522 bae544 97546 baf2d9 20 API calls _free 97522->97546 97523->97522 97525 bae574 97523->97525 97528 bae579 97525->97528 97529 bae586 97525->97529 97526 bae549 97547 bb27ec 26 API calls pre_c_initialization 97526->97547 97548 baf2d9 20 API calls _free 97528->97548 97538 bb8061 97529->97538 97532 bae58f 97533 bae5a2 97532->97533 97534 bae595 97532->97534 97550 bae5d4 LeaveCriticalSection __fread_nolock 97533->97550 97549 baf2d9 20 API calls _free 97534->97549 97536 bae554 __fread_nolock 97536->97490 97539 bb806d __FrameHandler3::FrameUnwindToState 97538->97539 97551 bb2f5e EnterCriticalSection 97539->97551 97541 bb807b 97552 bb80fb 97541->97552 97545 bb80ac __fread_nolock 97545->97532 97546->97526 97547->97536 97548->97536 97549->97536 97550->97536 97551->97541 97560 bb811e 97552->97560 97553 bb8088 97566 bb80b7 97553->97566 97554 bb8177 97571 bb4c7d 20 API calls _free 97554->97571 97556 bb8180 97558 bb29c8 _free 20 API calls 97556->97558 97559 bb8189 97558->97559 97559->97553 97572 bb3405 11 API calls 2 library calls 97559->97572 97560->97553 97560->97554 97560->97560 97569 ba918d EnterCriticalSection 97560->97569 97570 ba91a1 LeaveCriticalSection 97560->97570 97562 bb81a8 97573 ba918d EnterCriticalSection 97562->97573 97565 bb81bb 97565->97553 97574 bb2fa6 LeaveCriticalSection 97566->97574 97568 bb80be 97568->97545 97569->97560 97570->97560 97571->97556 97572->97562 97573->97565 97574->97568 97576 b9fddb 22 API calls 97575->97576 97577 b85734 97576->97577 97577->97500 97579 b842bc FindResourceExW 97578->97579 97583 b842d9 97578->97583 97580 bc35ba LoadResource 97579->97580 97579->97583 97581 bc35cf SizeofResource 97580->97581 97580->97583 97582 bc35e3 LockResource 97581->97582 97581->97583 97582->97583 97583->97511 97585 b8512e 97584->97585 97586 bc3d90 97584->97586 97590 baece3 97585->97590 97589->97505 97593 baeaaa 97590->97593 97592 b8513c 97592->97511 97597 baeab6 __FrameHandler3::FrameUnwindToState 97593->97597 97594 baeac2 97606 baf2d9 20 API calls _free 97594->97606 97596 baeae8 97608 ba918d EnterCriticalSection 97596->97608 97597->97594 97597->97596 97598 baeac7 97607 bb27ec 26 API calls pre_c_initialization 97598->97607 97601 baeaf4 97609 baec0a 62 API calls 2 library calls 97601->97609 97603 baeb08 97610 baeb27 LeaveCriticalSection __fread_nolock 97603->97610 97605 baead2 __fread_nolock 97605->97592 97606->97598 97607->97605 97608->97601 97609->97603 97610->97605 97614 bae8e1 97611->97614 97613 b85118 97613->97518 97615 bae8ed __FrameHandler3::FrameUnwindToState 97614->97615 97616 bae92d 97615->97616 97617 bae925 __fread_nolock 97615->97617 97619 bae900 ___scrt_fastfail 97615->97619 97629 ba918d EnterCriticalSection 97616->97629 97617->97613 97627 baf2d9 20 API calls _free 97619->97627 97621 bae937 97630 bae6f8 38 API calls 4 library calls 97621->97630 97622 bae91a 97628 bb27ec 26 API calls pre_c_initialization 97622->97628 97625 bae94e 97631 bae96c LeaveCriticalSection __fread_nolock 97625->97631 97627->97622 97628->97617 97629->97621 97630->97625 97631->97617 97635 bae4e8 97632->97635 97634 bf275d 97634->97520 97638 bae469 97635->97638 97637 bae505 97637->97634 97639 bae478 97638->97639 97640 bae48c 97638->97640 97646 baf2d9 20 API calls _free 97639->97646 97645 bae488 __alldvrm 97640->97645 97648 bb333f 11 API calls 2 library calls 97640->97648 97642 bae47d 97647 bb27ec 26 API calls pre_c_initialization 97642->97647 97645->97637 97646->97642 97647->97645 97648->97645 97650 bf2e7a 97649->97650 97651 b850f5 40 API calls 97650->97651 97652 bf2d3b 97650->97652 97653 bf28fe 27 API calls 97650->97653 97654 b8511f 64 API calls 97650->97654 97651->97650 97652->97419 97652->97436 97653->97650 97654->97650 97655->97436 97657 bae684 __FrameHandler3::FrameUnwindToState 97656->97657 97658 bae6aa 97657->97658 97659 bae695 97657->97659 97668 bae6a5 __fread_nolock 97658->97668 97669 ba918d EnterCriticalSection 97658->97669 97686 baf2d9 20 API calls _free 97659->97686 97662 bae69a 97687 bb27ec 26 API calls pre_c_initialization 97662->97687 97663 bae6c6 97670 bae602 97663->97670 97666 bae6d1 97688 bae6ee LeaveCriticalSection __fread_nolock 97666->97688 97668->97442 97669->97663 97671 bae60f 97670->97671 97672 bae624 97670->97672 97721 baf2d9 20 API calls _free 97671->97721 97679 bae61f 97672->97679 97689 badc0b 97672->97689 97675 bae614 97722 bb27ec 26 API calls pre_c_initialization 97675->97722 97679->97666 97682 bae646 97706 bb862f 97682->97706 97685 bb29c8 _free 20 API calls 97685->97679 97686->97662 97687->97668 97688->97668 97690 badc1f 97689->97690 97691 badc23 97689->97691 97695 bb4d7a 97690->97695 97691->97690 97692 bad955 __fread_nolock 26 API calls 97691->97692 97693 badc43 97692->97693 97723 bb59be 62 API calls 6 library calls 97693->97723 97696 bb4d90 97695->97696 97698 bae640 97695->97698 97697 bb29c8 _free 20 API calls 97696->97697 97696->97698 97697->97698 97699 bad955 97698->97699 97700 bad961 97699->97700 97701 bad976 97699->97701 97724 baf2d9 20 API calls _free 97700->97724 97701->97682 97703 bad966 97725 bb27ec 26 API calls pre_c_initialization 97703->97725 97705 bad971 97705->97682 97707 bb863e 97706->97707 97708 bb8653 97706->97708 97729 baf2c6 20 API calls _free 97707->97729 97710 bb868e 97708->97710 97715 bb867a 97708->97715 97731 baf2c6 20 API calls _free 97710->97731 97712 bb8643 97730 baf2d9 20 API calls _free 97712->97730 97713 bb8693 97732 baf2d9 20 API calls _free 97713->97732 97726 bb8607 97715->97726 97718 bb869b 97733 bb27ec 26 API calls pre_c_initialization 97718->97733 97719 bae64c 97719->97679 97719->97685 97721->97675 97722->97679 97723->97690 97724->97703 97725->97705 97734 bb8585 97726->97734 97728 bb862b 97728->97719 97729->97712 97730->97719 97731->97713 97732->97718 97733->97719 97735 bb8591 __FrameHandler3::FrameUnwindToState 97734->97735 97745 bb5147 EnterCriticalSection 97735->97745 97737 bb859f 97738 bb85d1 97737->97738 97739 bb85c6 97737->97739 97761 baf2d9 20 API calls _free 97738->97761 97746 bb86ae 97739->97746 97742 bb85cc 97762 bb85fb LeaveCriticalSection __wsopen_s 97742->97762 97744 bb85ee __fread_nolock 97744->97728 97745->97737 97763 bb53c4 97746->97763 97748 bb86c4 97776 bb5333 21 API calls 3 library calls 97748->97776 97750 bb86be 97750->97748 97751 bb86f6 97750->97751 97752 bb53c4 __wsopen_s 26 API calls 97750->97752 97751->97748 97753 bb53c4 __wsopen_s 26 API calls 97751->97753 97755 bb86ed 97752->97755 97756 bb8702 CloseHandle 97753->97756 97754 bb871c 97757 bb873e 97754->97757 97777 baf2a3 20 API calls 2 library calls 97754->97777 97758 bb53c4 __wsopen_s 26 API calls 97755->97758 97756->97748 97759 bb870e GetLastError 97756->97759 97757->97742 97758->97751 97759->97748 97761->97742 97762->97744 97764 bb53d1 97763->97764 97765 bb53e6 97763->97765 97778 baf2c6 20 API calls _free 97764->97778 97769 bb540b 97765->97769 97780 baf2c6 20 API calls _free 97765->97780 97768 bb53d6 97779 baf2d9 20 API calls _free 97768->97779 97769->97750 97770 bb5416 97781 baf2d9 20 API calls _free 97770->97781 97773 bb541e 97782 bb27ec 26 API calls pre_c_initialization 97773->97782 97774 bb53de 97774->97750 97776->97754 97777->97757 97778->97768 97779->97774 97780->97770 97781->97773 97782->97774 97783 c12a55 97791 bf1ebc 97783->97791 97786 c12a87 97787 c12a70 97793 be39c0 22 API calls 97787->97793 97789 c12a7c 97794 be417d 22 API calls __fread_nolock 97789->97794 97792 bf1ec3 IsWindow 97791->97792 97792->97786 97792->97787 97793->97789 97794->97786 97795 b81cad SystemParametersInfoW 97796 bc2ba5 97797 bc2baf 97796->97797 97798 b82b25 97796->97798 97800 b83a5a 24 API calls 97797->97800 97824 b82b83 7 API calls 97798->97824 97802 bc2bb8 97800->97802 97804 b89cb3 22 API calls 97802->97804 97806 bc2bc6 97804->97806 97805 b82b2f 97807 b82b44 97805->97807 97828 b83837 97805->97828 97808 bc2bce 97806->97808 97809 bc2bf5 97806->97809 97815 b82b5f 97807->97815 97838 b830f2 97807->97838 97842 b833c6 97808->97842 97810 b833c6 22 API calls 97809->97810 97822 bc2bf1 GetForegroundWindow ShellExecuteW 97810->97822 97821 b82b66 SetCurrentDirectoryW 97815->97821 97817 bc2c26 97817->97815 97819 bc2be7 97820 b833c6 22 API calls 97819->97820 97820->97822 97823 b82b7a 97821->97823 97822->97817 97852 b82cd4 7 API calls 97824->97852 97826 b82b2a 97827 b82c63 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 97826->97827 97827->97805 97829 b83862 ___scrt_fastfail 97828->97829 97853 b84212 97829->97853 97833 bc3386 Shell_NotifyIconW 97834 b83906 Shell_NotifyIconW 97857 b83923 97834->97857 97836 b838e8 97836->97833 97836->97834 97837 b8391c 97837->97807 97839 b83154 97838->97839 97840 b83104 ___scrt_fastfail 97838->97840 97839->97815 97841 b83123 Shell_NotifyIconW 97840->97841 97841->97839 97843 b833dd 97842->97843 97844 bc30bb 97842->97844 97883 b833ee 97843->97883 97846 b9fddb 22 API calls 97844->97846 97848 bc30c5 _wcslen 97846->97848 97847 b833e8 97851 b86350 22 API calls 97847->97851 97849 b9fe0b 22 API calls 97848->97849 97850 bc30fe __fread_nolock 97849->97850 97851->97819 97852->97826 97854 bc35a4 97853->97854 97855 b838b7 97853->97855 97854->97855 97856 bc35ad DestroyIcon 97854->97856 97855->97836 97879 bec874 42 API calls _strftime 97855->97879 97856->97855 97858 b8393f 97857->97858 97877 b83a13 97857->97877 97859 b86270 22 API calls 97858->97859 97860 b8394d 97859->97860 97861 b8395a 97860->97861 97862 bc3393 LoadStringW 97860->97862 97863 b86b57 22 API calls 97861->97863 97864 bc33ad 97862->97864 97865 b8396f 97863->97865 97873 b83994 ___scrt_fastfail 97864->97873 97881 b8a8c7 22 API calls __fread_nolock 97864->97881 97866 b8397c 97865->97866 97867 bc33c9 97865->97867 97866->97864 97869 b83986 97866->97869 97882 b86350 22 API calls 97867->97882 97880 b86350 22 API calls 97869->97880 97872 bc33d7 97872->97873 97874 b833c6 22 API calls 97872->97874 97875 b839f9 Shell_NotifyIconW 97873->97875 97876 bc33f9 97874->97876 97875->97877 97878 b833c6 22 API calls 97876->97878 97877->97837 97878->97873 97879->97836 97880->97873 97881->97873 97882->97872 97884 b833fe _wcslen 97883->97884 97885 bc311d 97884->97885 97886 b83411 97884->97886 97888 b9fddb 22 API calls 97885->97888 97893 b8a587 97886->97893 97890 bc3127 97888->97890 97889 b8341e __fread_nolock 97889->97847 97891 b9fe0b 22 API calls 97890->97891 97892 bc3157 __fread_nolock 97891->97892 97894 b8a59d 97893->97894 97897 b8a598 __fread_nolock 97893->97897 97895 b9fe0b 22 API calls 97894->97895 97896 bcf80f 97894->97896 97895->97897 97897->97889 97898 b82de3 97899 b82df0 __wsopen_s 97898->97899 97900 b82e09 97899->97900 97901 bc2c2b ___scrt_fastfail 97899->97901 97902 b83aa2 23 API calls 97900->97902 97903 bc2c47 GetOpenFileNameW 97901->97903 97904 b82e12 97902->97904 97905 bc2c96 97903->97905 97914 b82da5 97904->97914 97907 b86b57 22 API calls 97905->97907 97910 bc2cab 97907->97910 97910->97910 97911 b82e27 97932 b844a8 97911->97932 97915 bc1f50 __wsopen_s 97914->97915 97916 b82db2 GetLongPathNameW 97915->97916 97917 b86b57 22 API calls 97916->97917 97918 b82dda 97917->97918 97919 b83598 97918->97919 97920 b8a961 22 API calls 97919->97920 97921 b835aa 97920->97921 97922 b83aa2 23 API calls 97921->97922 97923 b835b5 97922->97923 97924 bc32eb 97923->97924 97925 b835c0 97923->97925 97929 bc330d 97924->97929 97967 b9ce60 41 API calls 97924->97967 97926 b8515f 22 API calls 97925->97926 97928 b835cc 97926->97928 97961 b835f3 97928->97961 97931 b835df 97931->97911 97933 b84ecb 94 API calls 97932->97933 97934 b844cd 97933->97934 97935 bc3833 97934->97935 97936 b84ecb 94 API calls 97934->97936 97937 bf2cf9 80 API calls 97935->97937 97938 b844e1 97936->97938 97939 bc3848 97937->97939 97938->97935 97940 b844e9 97938->97940 97941 bc384c 97939->97941 97942 bc3869 97939->97942 97944 bc3854 97940->97944 97945 b844f5 97940->97945 97946 b84f39 68 API calls 97941->97946 97943 b9fe0b 22 API calls 97942->97943 97952 bc38ae 97943->97952 97992 beda5a 82 API calls 97944->97992 97991 b8940c 136 API calls 2 library calls 97945->97991 97946->97944 97949 bc3862 97949->97942 97950 b82e31 97951 b84f39 68 API calls 97954 bc3a5f 97951->97954 97952->97954 97958 b89cb3 22 API calls 97952->97958 97968 be967e 97952->97968 97971 bf0b5a 97952->97971 97977 b8a4a1 97952->97977 97985 b83ff7 97952->97985 97993 be95ad 42 API calls _wcslen 97952->97993 97954->97951 97994 be989b 82 API calls __wsopen_s 97954->97994 97958->97952 97962 b83605 97961->97962 97966 b83624 __fread_nolock 97961->97966 97965 b9fe0b 22 API calls 97962->97965 97963 b9fddb 22 API calls 97964 b8363b 97963->97964 97964->97931 97965->97966 97966->97963 97967->97924 97969 b9fe0b 22 API calls 97968->97969 97970 be96ae __fread_nolock 97969->97970 97970->97952 97970->97970 97972 bf0b65 97971->97972 97973 b9fddb 22 API calls 97972->97973 97974 bf0b7c 97973->97974 97975 b89cb3 22 API calls 97974->97975 97976 bf0b87 97975->97976 97976->97952 97978 b8a52b 97977->97978 97982 b8a4b1 __fread_nolock 97977->97982 97980 b9fe0b 22 API calls 97978->97980 97979 b9fddb 22 API calls 97981 b8a4b8 97979->97981 97980->97982 97983 b9fddb 22 API calls 97981->97983 97984 b8a4d6 97981->97984 97982->97979 97983->97984 97984->97952 97986 b8400a 97985->97986 97990 b840ae 97985->97990 97987 b9fe0b 22 API calls 97986->97987 97988 b8403c 97986->97988 97987->97988 97989 b9fddb 22 API calls 97988->97989 97988->97990 97989->97988 97990->97952 97991->97950 97992->97949 97993->97952 97994->97954 97995 b8dee5 97998 b8b710 97995->97998 97999 b8b72b 97998->97999 98000 bd00f8 97999->98000 98001 bd0146 97999->98001 98013 b8b750 97999->98013 98004 bd0102 98000->98004 98006 bd010f 98000->98006 98000->98013 98039 c058a2 348 API calls 2 library calls 98001->98039 98037 c05d33 348 API calls 98004->98037 98025 b8ba20 98006->98025 98038 c061d0 348 API calls 2 library calls 98006->98038 98011 bd03d9 98011->98011 98012 b9d336 40 API calls 98012->98013 98013->98012 98016 bd0322 98013->98016 98019 b8a81b 41 API calls 98013->98019 98020 b8ba4e 98013->98020 98023 b8aceb 23 API calls 98013->98023 98024 b8bbe0 40 API calls 98013->98024 98013->98025 98026 b8ec40 348 API calls 98013->98026 98029 b9d2f0 40 API calls 98013->98029 98030 b9a01b 348 API calls 98013->98030 98031 ba0242 5 API calls __Init_thread_wait 98013->98031 98032 b9edcd 22 API calls 98013->98032 98033 ba00a3 29 API calls __onexit 98013->98033 98034 ba01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 98013->98034 98035 b9ee53 82 API calls 98013->98035 98036 b9e5ca 348 API calls 98013->98036 98040 bdf6bf 23 API calls 98013->98040 98041 b8a8c7 22 API calls __fread_nolock 98013->98041 98042 c05c0c 82 API calls 98016->98042 98019->98013 98023->98013 98024->98013 98025->98020 98043 bf359c 82 API calls __wsopen_s 98025->98043 98026->98013 98029->98013 98030->98013 98031->98013 98032->98013 98033->98013 98034->98013 98035->98013 98036->98013 98037->98006 98038->98025 98039->98013 98040->98013 98041->98013 98042->98025 98043->98011 98044 bdd3a0 98045 bdd3ab 98044->98045 98048 bdd292 98044->98048 98046 bdd3c9 98045->98046 98047 bdd3b9 GetProcAddress 98045->98047 98046->98048 98049 bdd3e4 FreeLibrary 98046->98049 98047->98046 98048->98048 98049->98048 98050 b81098 98055 b842de 98050->98055 98054 b810a7 98056 b8a961 22 API calls 98055->98056 98057 b842f5 GetVersionExW 98056->98057 98058 b86b57 22 API calls 98057->98058 98059 b84342 98058->98059 98060 b893b2 22 API calls 98059->98060 98074 b84378 98059->98074 98061 b8436c 98060->98061 98063 b837a0 22 API calls 98061->98063 98062 b8441b GetCurrentProcess IsWow64Process 98064 b84437 98062->98064 98063->98074 98065 b8444f LoadLibraryA 98064->98065 98066 bc3824 GetSystemInfo 98064->98066 98067 b8449c GetSystemInfo 98065->98067 98068 b84460 GetProcAddress 98065->98068 98071 b84476 98067->98071 98068->98067 98070 b84470 GetNativeSystemInfo 98068->98070 98069 bc37df 98070->98071 98072 b8447a FreeLibrary 98071->98072 98073 b8109d 98071->98073 98072->98073 98075 ba00a3 29 API calls __onexit 98073->98075 98074->98062 98074->98069 98075->98054 98076 b9f698 98077 b9f6c3 98076->98077 98078 b9f6a2 98076->98078 98083 bdf2f8 98077->98083 98093 be4d4a 22 API calls ISource 98077->98093 98085 b8af8a 98078->98085 98080 b9f6b2 98082 b8af8a 22 API calls 98080->98082 98084 b9f6c2 98082->98084 98086 b8af98 98085->98086 98092 b8afc0 ISource 98085->98092 98087 b8afa6 98086->98087 98088 b8af8a 22 API calls 98086->98088 98089 b8af8a 22 API calls 98087->98089 98090 b8afac 98087->98090 98088->98087 98089->98090 98090->98092 98094 b8b090 98090->98094 98092->98080 98093->98077 98095 b8b09b ISource 98094->98095 98097 b8b0d6 ISource 98095->98097 98098 b9ce17 22 API calls ISource 98095->98098 98097->98092 98098->98097 98099 bdd79f 98100 b83b1c 3 API calls 98099->98100 98101 bdd7bf 98100->98101 98104 b89c6e 22 API calls 98101->98104 98103 bdd7ef 98103->98103 98104->98103 98105 bdd35f 98107 bdd30c 98105->98107 98108 bedf27 SHGetFolderPathW 98107->98108 98109 b86b57 22 API calls 98108->98109 98110 bedf54 98109->98110 98110->98107 98111 b8105b 98116 b8344d 98111->98116 98113 b8106a 98147 ba00a3 29 API calls __onexit 98113->98147 98115 b81074 98117 b8345d __wsopen_s 98116->98117 98118 b8a961 22 API calls 98117->98118 98119 b83513 98118->98119 98120 b83a5a 24 API calls 98119->98120 98121 b8351c 98120->98121 98148 b83357 98121->98148 98124 b833c6 22 API calls 98125 b83535 98124->98125 98126 b8515f 22 API calls 98125->98126 98127 b83544 98126->98127 98128 b8a961 22 API calls 98127->98128 98129 b8354d 98128->98129 98130 b8a6c3 22 API calls 98129->98130 98131 b83556 RegOpenKeyExW 98130->98131 98132 b83578 98131->98132 98133 bc3176 RegQueryValueExW 98131->98133 98132->98113 98134 bc320c RegCloseKey 98133->98134 98135 bc3193 98133->98135 98134->98132 98146 bc321e _wcslen 98134->98146 98136 b9fe0b 22 API calls 98135->98136 98137 bc31ac 98136->98137 98138 b85722 22 API calls 98137->98138 98140 bc31b7 RegQueryValueExW 98138->98140 98139 b84c6d 22 API calls 98139->98146 98141 bc31d4 98140->98141 98143 bc31ee ISource 98140->98143 98142 b86b57 22 API calls 98141->98142 98142->98143 98143->98134 98144 b89cb3 22 API calls 98144->98146 98145 b8515f 22 API calls 98145->98146 98146->98132 98146->98139 98146->98144 98146->98145 98147->98115 98149 bc1f50 __wsopen_s 98148->98149 98150 b83364 GetFullPathNameW 98149->98150 98151 b83386 98150->98151 98152 b86b57 22 API calls 98151->98152 98153 b833a4 98152->98153 98153->98124 98154 bdd29a 98157 bede27 WSAStartup 98154->98157 98156 bdd2a5 98158 bedee6 98157->98158 98159 bede50 gethostname gethostbyname 98157->98159 98158->98156 98159->98158 98160 bede73 __fread_nolock 98159->98160 98161 bedea5 inet_ntoa 98160->98161 98165 bede87 98160->98165 98163 bedebe _strcat 98161->98163 98162 bedede WSACleanup 98162->98158 98166 beebd1 98163->98166 98165->98162 98167 beec37 98166->98167 98168 beebe0 _strlen 98166->98168 98167->98165 98169 beebef MultiByteToWideChar 98168->98169 98169->98167 98170 beec04 98169->98170 98171 b9fe0b 22 API calls 98170->98171 98172 beec20 MultiByteToWideChar 98171->98172 98172->98167 98173 bdd255 98174 b83b1c 3 API calls 98173->98174 98175 bdd275 98173->98175 98174->98175 98175->98175 98176 b83156 98179 b83170 98176->98179 98180 b83187 98179->98180 98181 b831eb 98180->98181 98182 b8318c 98180->98182 98219 b831e9 98180->98219 98184 bc2dfb 98181->98184 98185 b831f1 98181->98185 98186 b83199 98182->98186 98187 b83265 PostQuitMessage 98182->98187 98183 b831d0 DefWindowProcW 98221 b8316a 98183->98221 98234 b818e2 10 API calls 98184->98234 98188 b831f8 98185->98188 98189 b8321d SetTimer RegisterWindowMessageW 98185->98189 98191 bc2e7c 98186->98191 98192 b831a4 98186->98192 98187->98221 98193 bc2d9c 98188->98193 98194 b83201 KillTimer 98188->98194 98196 b83246 CreatePopupMenu 98189->98196 98189->98221 98237 bebf30 34 API calls ___scrt_fastfail 98191->98237 98197 bc2e68 98192->98197 98198 b831ae 98192->98198 98200 bc2dd7 MoveWindow 98193->98200 98201 bc2da1 98193->98201 98202 b830f2 Shell_NotifyIconW 98194->98202 98195 bc2e1c 98235 b9e499 42 API calls 98195->98235 98196->98221 98224 bec161 98197->98224 98205 bc2e4d 98198->98205 98206 b831b9 98198->98206 98200->98221 98208 bc2dc6 SetFocus 98201->98208 98209 bc2da7 98201->98209 98210 b83214 98202->98210 98205->98183 98236 be0ad7 22 API calls 98205->98236 98211 b83253 98206->98211 98217 b831c4 98206->98217 98207 bc2e8e 98207->98183 98207->98221 98208->98221 98212 bc2db0 98209->98212 98209->98217 98231 b83c50 DeleteObject DestroyWindow 98210->98231 98232 b8326f 44 API calls ___scrt_fastfail 98211->98232 98233 b818e2 10 API calls 98212->98233 98216 b83263 98216->98221 98217->98183 98220 b830f2 Shell_NotifyIconW 98217->98220 98219->98183 98222 bc2e41 98220->98222 98223 b83837 49 API calls 98222->98223 98223->98219 98225 bec179 ___scrt_fastfail 98224->98225 98226 bec276 98224->98226 98227 b83923 24 API calls 98225->98227 98226->98221 98229 bec1a0 98227->98229 98228 bec25f KillTimer SetTimer 98228->98226 98229->98228 98230 bec251 Shell_NotifyIconW 98229->98230 98230->98228 98231->98221 98232->98216 98233->98221 98234->98195 98235->98217 98236->98219 98237->98207 98238 b90116 98239 b9fddb 22 API calls 98238->98239 98240 b9011d 98239->98240 98241 bb8402 98242 bb8418 98241->98242 98243 bb842a 98242->98243 98245 bc0984 98242->98245 98248 bc0081 98245->98248 98247 bc099f 98247->98243 98251 bc008d __FrameHandler3::FrameUnwindToState 98248->98251 98249 bc009b 98306 baf2d9 20 API calls _free 98249->98306 98251->98249 98253 bc00d4 98251->98253 98252 bc00a0 98307 bb27ec 26 API calls pre_c_initialization 98252->98307 98259 bc065b 98253->98259 98258 bc00aa __fread_nolock 98258->98247 98309 bc042f 98259->98309 98262 bc068d 98341 baf2c6 20 API calls _free 98262->98341 98263 bc06a6 98327 bb5221 98263->98327 98266 bc06ab 98267 bc06cb 98266->98267 98268 bc06b4 98266->98268 98340 bc039a CreateFileW 98267->98340 98343 baf2c6 20 API calls _free 98268->98343 98272 bc06b9 98344 baf2d9 20 API calls _free 98272->98344 98273 bc0704 98275 bc0781 GetFileType 98273->98275 98277 bc0756 GetLastError 98273->98277 98345 bc039a CreateFileW 98273->98345 98276 bc078c GetLastError 98275->98276 98280 bc07d3 98275->98280 98347 baf2a3 20 API calls 2 library calls 98276->98347 98346 baf2a3 20 API calls 2 library calls 98277->98346 98349 bb516a 21 API calls 3 library calls 98280->98349 98281 bc0692 98342 baf2d9 20 API calls _free 98281->98342 98282 bc079a CloseHandle 98282->98281 98284 bc07c3 98282->98284 98348 baf2d9 20 API calls _free 98284->98348 98286 bc0749 98286->98275 98286->98277 98287 bc07f4 98289 bc0840 98287->98289 98350 bc05ab 72 API calls 4 library calls 98287->98350 98294 bc086d 98289->98294 98351 bc014d 72 API calls 4 library calls 98289->98351 98290 bc07c8 98290->98281 98293 bc0866 98293->98294 98295 bc087e 98293->98295 98296 bb86ae __wsopen_s 29 API calls 98294->98296 98297 bc00f8 98295->98297 98298 bc08fc CloseHandle 98295->98298 98296->98297 98308 bc0121 LeaveCriticalSection __wsopen_s 98297->98308 98352 bc039a CreateFileW 98298->98352 98300 bc0927 98301 bc0931 GetLastError 98300->98301 98302 bc095d 98300->98302 98353 baf2a3 20 API calls 2 library calls 98301->98353 98302->98297 98304 bc093d 98354 bb5333 21 API calls 3 library calls 98304->98354 98306->98252 98307->98258 98308->98258 98310 bc046a 98309->98310 98311 bc0450 98309->98311 98355 bc03bf 98310->98355 98311->98310 98362 baf2d9 20 API calls _free 98311->98362 98314 bc045f 98363 bb27ec 26 API calls pre_c_initialization 98314->98363 98316 bc04a2 98317 bc04d1 98316->98317 98364 baf2d9 20 API calls _free 98316->98364 98322 bc0524 98317->98322 98366 bad70d 26 API calls 2 library calls 98317->98366 98320 bc051f 98320->98322 98323 bc059e 98320->98323 98321 bc04c6 98365 bb27ec 26 API calls pre_c_initialization 98321->98365 98322->98262 98322->98263 98367 bb27fc 11 API calls _abort 98323->98367 98326 bc05aa 98328 bb522d __FrameHandler3::FrameUnwindToState 98327->98328 98370 bb2f5e EnterCriticalSection 98328->98370 98330 bb5259 98374 bb5000 21 API calls 2 library calls 98330->98374 98331 bb5234 98331->98330 98336 bb52c7 EnterCriticalSection 98331->98336 98339 bb527b 98331->98339 98334 bb52a4 __fread_nolock 98334->98266 98335 bb525e 98335->98339 98375 bb5147 EnterCriticalSection 98335->98375 98337 bb52d4 LeaveCriticalSection 98336->98337 98336->98339 98337->98331 98371 bb532a 98339->98371 98340->98273 98341->98281 98342->98297 98343->98272 98344->98281 98345->98286 98346->98281 98347->98282 98348->98290 98349->98287 98350->98289 98351->98293 98352->98300 98353->98304 98354->98302 98358 bc03d7 98355->98358 98356 bc03f2 98356->98316 98358->98356 98368 baf2d9 20 API calls _free 98358->98368 98359 bc0416 98369 bb27ec 26 API calls pre_c_initialization 98359->98369 98361 bc0421 98361->98316 98362->98314 98363->98310 98364->98321 98365->98317 98366->98320 98367->98326 98368->98359 98369->98361 98370->98331 98376 bb2fa6 LeaveCriticalSection 98371->98376 98373 bb5331 98373->98334 98374->98335 98375->98339 98376->98373 98377 b81044 98382 b810f3 98377->98382 98379 b8104a 98418 ba00a3 29 API calls __onexit 98379->98418 98381 b81054 98419 b81398 98382->98419 98386 b8116a 98387 b8a961 22 API calls 98386->98387 98388 b81174 98387->98388 98389 b8a961 22 API calls 98388->98389 98390 b8117e 98389->98390 98391 b8a961 22 API calls 98390->98391 98392 b81188 98391->98392 98393 b8a961 22 API calls 98392->98393 98394 b811c6 98393->98394 98395 b8a961 22 API calls 98394->98395 98396 b81292 98395->98396 98429 b8171c 98396->98429 98400 b812c4 98401 b8a961 22 API calls 98400->98401 98402 b812ce 98401->98402 98403 b91940 9 API calls 98402->98403 98404 b812f9 98403->98404 98450 b81aab 98404->98450 98406 b81315 98407 b81325 GetStdHandle 98406->98407 98408 bc2485 98407->98408 98409 b8137a 98407->98409 98408->98409 98410 bc248e 98408->98410 98412 b81387 OleInitialize 98409->98412 98411 b9fddb 22 API calls 98410->98411 98413 bc2495 98411->98413 98412->98379 98457 bf011d InitializeCriticalSectionAndSpinCount InterlockedExchange GetCurrentProcess GetCurrentProcess DuplicateHandle 98413->98457 98415 bc249e 98458 bf0944 CreateThread 98415->98458 98417 bc24aa CloseHandle 98417->98409 98418->98381 98459 b813f1 98419->98459 98422 b813f1 22 API calls 98423 b813d0 98422->98423 98424 b8a961 22 API calls 98423->98424 98425 b813dc 98424->98425 98426 b86b57 22 API calls 98425->98426 98427 b81129 98426->98427 98428 b81bc3 6 API calls 98427->98428 98428->98386 98430 b8a961 22 API calls 98429->98430 98431 b8172c 98430->98431 98432 b8a961 22 API calls 98431->98432 98433 b81734 98432->98433 98434 b8a961 22 API calls 98433->98434 98435 b8174f 98434->98435 98436 b9fddb 22 API calls 98435->98436 98437 b8129c 98436->98437 98438 b81b4a 98437->98438 98439 b81b58 98438->98439 98440 b8a961 22 API calls 98439->98440 98441 b81b63 98440->98441 98442 b8a961 22 API calls 98441->98442 98443 b81b6e 98442->98443 98444 b8a961 22 API calls 98443->98444 98445 b81b79 98444->98445 98446 b8a961 22 API calls 98445->98446 98447 b81b84 98446->98447 98448 b9fddb 22 API calls 98447->98448 98449 b81b96 RegisterWindowMessageW 98448->98449 98449->98400 98451 bc272d 98450->98451 98452 b81abb 98450->98452 98466 bf3209 23 API calls 98451->98466 98454 b9fddb 22 API calls 98452->98454 98456 b81ac3 98454->98456 98455 bc2738 98456->98406 98457->98415 98458->98417 98467 bf092a 28 API calls 98458->98467 98460 b8a961 22 API calls 98459->98460 98461 b813fc 98460->98461 98462 b8a961 22 API calls 98461->98462 98463 b81404 98462->98463 98464 b8a961 22 API calls 98463->98464 98465 b813c6 98464->98465 98465->98422 98466->98455 98468 bd2a00 98484 b8d7b0 ISource 98468->98484 98469 b8db11 PeekMessageW 98469->98484 98470 b8d807 GetInputState 98470->98469 98470->98484 98472 bd1cbe TranslateAcceleratorW 98472->98484 98473 b8da04 timeGetTime 98473->98484 98474 b8db8f PeekMessageW 98474->98484 98475 b8db73 TranslateMessage DispatchMessageW 98475->98474 98476 b8dbaf Sleep 98476->98484 98477 bd2b74 Sleep 98490 bd2a51 98477->98490 98480 bd1dda timeGetTime 98536 b9e300 23 API calls 98480->98536 98482 bed4dc 47 API calls 98482->98490 98483 bd2c0b GetExitCodeProcess 98485 bd2c37 CloseHandle 98483->98485 98486 bd2c21 WaitForSingleObject 98483->98486 98484->98469 98484->98470 98484->98472 98484->98473 98484->98474 98484->98475 98484->98476 98484->98477 98484->98480 98489 b8d9d5 98484->98489 98484->98490 98496 b8ec40 348 API calls 98484->98496 98497 b91310 348 API calls 98484->98497 98498 b8bf40 348 API calls 98484->98498 98500 b8dd50 98484->98500 98507 b8dfd0 98484->98507 98530 b9edf6 98484->98530 98535 b9e551 timeGetTime 98484->98535 98537 bf3a2a 23 API calls 98484->98537 98538 bf359c 82 API calls __wsopen_s 98484->98538 98485->98490 98486->98484 98486->98485 98487 c129bf GetForegroundWindow 98487->98490 98490->98482 98490->98483 98490->98484 98490->98487 98490->98489 98491 bd2ca9 Sleep 98490->98491 98539 c05658 23 API calls 98490->98539 98540 bee97b QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 98490->98540 98541 b9e551 timeGetTime 98490->98541 98491->98484 98496->98484 98497->98484 98498->98484 98501 b8dd6f 98500->98501 98502 b8dd83 98500->98502 98542 b8d260 98501->98542 98574 bf359c 82 API calls __wsopen_s 98502->98574 98505 b8dd7a 98505->98484 98506 bd2f75 98506->98506 98508 b8e010 98507->98508 98525 b8e0dc ISource 98508->98525 98583 ba0242 5 API calls __Init_thread_wait 98508->98583 98510 bf359c 82 API calls 98510->98525 98512 bd2fca 98514 b8a961 22 API calls 98512->98514 98512->98525 98513 b8a961 22 API calls 98513->98525 98515 bd2fe4 98514->98515 98584 ba00a3 29 API calls __onexit 98515->98584 98516 b8a81b 41 API calls 98516->98525 98519 bd2fee 98585 ba01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 98519->98585 98522 b8ec40 348 API calls 98522->98525 98525->98510 98525->98513 98525->98516 98525->98522 98526 b8e3e1 98525->98526 98527 b904f0 22 API calls 98525->98527 98581 b8a8c7 22 API calls __fread_nolock 98525->98581 98582 b9a308 348 API calls 98525->98582 98586 ba0242 5 API calls __Init_thread_wait 98525->98586 98587 ba00a3 29 API calls __onexit 98525->98587 98588 ba01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 98525->98588 98589 c047d4 348 API calls 98525->98589 98590 c068c1 348 API calls 98525->98590 98526->98484 98527->98525 98532 b9ee09 98530->98532 98534 b9ee12 98530->98534 98531 b9ee36 IsDialogMessageW 98531->98532 98531->98534 98532->98484 98533 bdefaf GetClassLongW 98533->98531 98533->98534 98534->98531 98534->98532 98534->98533 98535->98484 98536->98484 98537->98484 98538->98484 98539->98490 98540->98490 98541->98490 98543 b8ec40 348 API calls 98542->98543 98563 b8d29d 98543->98563 98544 bd1bc4 98580 bf359c 82 API calls __wsopen_s 98544->98580 98546 b8d30b ISource 98546->98505 98547 b8d3c3 98548 b8d6d5 98547->98548 98549 b8d3ce 98547->98549 98548->98546 98558 b9fe0b 22 API calls 98548->98558 98551 b9fddb 22 API calls 98549->98551 98550 b8d5ff 98552 bd1bb5 98550->98552 98553 b8d614 98550->98553 98561 b8d3d5 __fread_nolock 98551->98561 98579 c05705 23 API calls 98552->98579 98556 b9fddb 22 API calls 98553->98556 98554 b8d4b8 98559 b9fe0b 22 API calls 98554->98559 98566 b8d46a 98556->98566 98557 b9fddb 22 API calls 98557->98563 98558->98561 98569 b8d429 ISource __fread_nolock 98559->98569 98560 b9fddb 22 API calls 98562 b8d3f6 98560->98562 98561->98560 98561->98562 98562->98569 98575 b8bec0 348 API calls 98562->98575 98563->98544 98563->98546 98563->98547 98563->98548 98563->98554 98563->98557 98563->98569 98565 bd1ba4 98578 bf359c 82 API calls __wsopen_s 98565->98578 98566->98505 98568 b81f6f 348 API calls 98568->98569 98569->98550 98569->98565 98569->98566 98569->98568 98570 bd1b7f 98569->98570 98572 bd1b5d 98569->98572 98577 bf359c 82 API calls __wsopen_s 98570->98577 98576 bf359c 82 API calls __wsopen_s 98572->98576 98574->98506 98575->98569 98576->98566 98577->98566 98578->98566 98579->98544 98580->98546 98581->98525 98582->98525 98583->98512 98584->98519 98585->98525 98586->98525 98587->98525 98588->98525 98589->98525 98590->98525 98591 bc2402 98594 b81410 98591->98594 98595 bc24b8 DestroyWindow 98594->98595 98596 b8144f mciSendStringW 98594->98596 98608 bc24c4 98595->98608 98597 b8146b 98596->98597 98598 b816c6 98596->98598 98599 b81479 98597->98599 98597->98608 98598->98597 98600 b816d5 UnregisterHotKey 98598->98600 98627 b8182e 98599->98627 98600->98598 98602 bc24d8 98602->98608 98633 b86246 CloseHandle 98602->98633 98603 bc24e2 FindClose 98603->98608 98605 bc2509 98609 bc252d 98605->98609 98610 bc251c FreeLibrary 98605->98610 98607 b8148e 98607->98609 98617 b8149c 98607->98617 98608->98602 98608->98603 98608->98605 98611 bc2541 VirtualFree 98609->98611 98618 b81509 98609->98618 98610->98605 98611->98609 98612 b814f8 CoUninitialize 98612->98618 98613 bc2589 98620 bc2598 ISource 98613->98620 98634 bf32eb 6 API calls ISource 98613->98634 98614 b81514 98615 b81524 98614->98615 98631 b81944 VirtualFreeEx CloseHandle 98615->98631 98617->98612 98618->98613 98618->98614 98623 bc2627 98620->98623 98635 be64d4 22 API calls ISource 98620->98635 98622 b8153a 98622->98620 98624 b8161f 98622->98624 98623->98623 98624->98623 98632 b81876 CloseHandle InternetCloseHandle InternetCloseHandle WaitForSingleObject 98624->98632 98626 b816c1 98628 b8183b 98627->98628 98629 b81480 98628->98629 98636 be702a 22 API calls 98628->98636 98629->98605 98629->98607 98631->98622 98632->98626 98633->98602 98634->98613 98635->98620 98636->98628

                                                                                                                                                                                                                                                                                                                                                                                  Executed Functions

                                                                                                                                                                                                                                                                                                                                                                                  Function 00B842DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235libraryloaderCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                                                                                                                                                  control_flow_graph 389 b842de-b8434d call b8a961 GetVersionExW call b86b57 394 bc3617-bc362a 389->394 395 b84353 389->395 397 bc362b-bc362f 394->397 396 b84355-b84357 395->396 398 b8435d-b843bc call b893b2 call b837a0 396->398 399 bc3656 396->399 400 bc3631 397->400 401 bc3632-bc363e 397->401 418 bc37df-bc37e6 398->418 419 b843c2-b843c4 398->419 404 bc365d-bc3660 399->404 400->401 401->397 403 bc3640-bc3642 401->403 403->396 406 bc3648-bc364f 403->406 408 b8441b-b84435 GetCurrentProcess IsWow64Process 404->408 409 bc3666-bc36a8 404->409 406->394 407 bc3651 406->407 407->399 411 b84494-b8449a 408->411 412 b84437 408->412 409->408 413 bc36ae-bc36b1 409->413 415 b8443d-b84449 411->415 412->415 416 bc36db-bc36e5 413->416 417 bc36b3-bc36bd 413->417 420 b8444f-b8445e LoadLibraryA 415->420 421 bc3824-bc3828 GetSystemInfo 415->421 425 bc36f8-bc3702 416->425 426 bc36e7-bc36f3 416->426 422 bc36bf-bc36c5 417->422 423 bc36ca-bc36d6 417->423 427 bc37e8 418->427 428 bc3806-bc3809 418->428 419->404 424 b843ca-b843dd 419->424 431 b8449c-b844a6 GetSystemInfo 420->431 432 b84460-b8446e GetProcAddress 420->432 422->408 423->408 433 bc3726-bc372f 424->433 434 b843e3-b843e5 424->434 436 bc3704-bc3710 425->436 437 bc3715-bc3721 425->437 426->408 435 bc37ee 427->435 429 bc380b-bc381a 428->429 430 bc37f4-bc37fc 428->430 429->435 440 bc381c-bc3822 429->440 430->428 442 b84476-b84478 431->442 432->431 441 b84470-b84474 GetNativeSystemInfo 432->441 438 bc373c-bc3748 433->438 439 bc3731-bc3737 433->439 443 bc374d-bc3762 434->443 444 b843eb-b843ee 434->444 435->430 436->408 437->408 438->408 439->408 440->430 441->442 447 b8447a-b8447b FreeLibrary 442->447 448 b84481-b84493 442->448 445 bc376f-bc377b 443->445 446 bc3764-bc376a 443->446 449 b843f4-b8440f 444->449 450 bc3791-bc3794 444->450 445->408 446->408 447->448 452 bc3780-bc378c 449->452 453 b84415 449->453 450->408 451 bc379a-bc37c1 450->451 454 bc37ce-bc37da 451->454 455 bc37c3-bc37c9 451->455 452->408 453->408 454->408 455->408
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • GetVersionExW.KERNEL32(?), ref: 00B8430D
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00B86B57: _wcslen.LIBCMT ref: 00B86B6A
                                                                                                                                                                                                                                                                                                                                                                                  • GetCurrentProcess.KERNEL32(?,00C1CB64,00000000,?,?), ref: 00B84422
                                                                                                                                                                                                                                                                                                                                                                                  • IsWow64Process.KERNEL32(00000000,?,?), ref: 00B84429
                                                                                                                                                                                                                                                                                                                                                                                  • LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00B84454
                                                                                                                                                                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00B84466
                                                                                                                                                                                                                                                                                                                                                                                  • GetNativeSystemInfo.KERNEL32(?,?,?), ref: 00B84474
                                                                                                                                                                                                                                                                                                                                                                                  • FreeLibrary.KERNEL32(00000000,?,?), ref: 00B8447B
                                                                                                                                                                                                                                                                                                                                                                                  • GetSystemInfo.KERNEL32(?,?,?), ref: 00B844A0
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: GetNativeSystemInfo$kernel32.dll$|O
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 3290436268-3101561225
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: f46169cf9ac9b2481f68bb71ee12006f1ff4fa699fbc7dd05d2f073c8971e7c3
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 3833505fa9f6b254cb49927e234ea1765dddbb7c0d96712899a7bbbc1c3d6edc
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f46169cf9ac9b2481f68bb71ee12006f1ff4fa699fbc7dd05d2f073c8971e7c3
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1DA1A36D95A3C0DFC711D76878A979D7FE4AB36746B0C88EDE841B3731D6204A88CB21
                                                                                                                                                                                                                                                                                                                                                                                  Function 00B842A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                                                                                                                                                  control_flow_graph 817 b842a2-b842ba CreateStreamOnHGlobal 818 b842da-b842dd 817->818 819 b842bc-b842d3 FindResourceExW 817->819 820 b842d9 819->820 821 bc35ba-bc35c9 LoadResource 819->821 820->818 821->820 822 bc35cf-bc35dd SizeofResource 821->822 822->820 823 bc35e3-bc35ee LockResource 822->823 823->820 824 bc35f4-bc3612 823->824 824->820
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00B850AA,?,?,00000000,00000000), ref: 00B842B2
                                                                                                                                                                                                                                                                                                                                                                                  • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00B850AA,?,?,00000000,00000000), ref: 00B842C9
                                                                                                                                                                                                                                                                                                                                                                                  • LoadResource.KERNEL32(?,00000000,?,?,00B850AA,?,?,00000000,00000000,?,?,?,?,?,?,00B84F20), ref: 00BC35BE
                                                                                                                                                                                                                                                                                                                                                                                  • SizeofResource.KERNEL32(?,00000000,?,?,00B850AA,?,?,00000000,00000000,?,?,?,?,?,?,00B84F20), ref: 00BC35D3
                                                                                                                                                                                                                                                                                                                                                                                  • LockResource.KERNEL32(00B850AA,?,?,00B850AA,?,?,00000000,00000000,?,?,?,?,?,?,00B84F20,?), ref: 00BC35E6
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: SCRIPT
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 3051347437-3967369404
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 260c3dd73e422385e66264a2985e5f420dd56a5d84c3b13661b45bad722eba39
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: c33925ff5f8627f28f68776d48ef343525aab70778565be77046517cfcdc5dd3
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 260c3dd73e422385e66264a2985e5f420dd56a5d84c3b13661b45bad722eba39
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C811AC70240305BFEB219F65DC88F6B7BB9FBCAB55F1081A9B412C62A0DB71D804C620
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BC2BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 00B82B6B
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00B83A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00C51418,?,00B82E7F,?,?,?,00000000), ref: 00B83A78
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00B89CB3: _wcslen.LIBCMT ref: 00B89CBD
                                                                                                                                                                                                                                                                                                                                                                                  • GetForegroundWindow.USER32(runas,?,?,?,?,?,00C42224), ref: 00BC2C10
                                                                                                                                                                                                                                                                                                                                                                                  • ShellExecuteW.SHELL32(00000000,?,?,00C42224), ref: 00BC2C17
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: runas
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 448630720-4000483414
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: f6484ad02492a421a32a1a5f03bf84a891ad7ba4cccc72f3f4d0bfc93d92e75a
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 97c4f70d05b0ee2c6db6d6d863f620fd68b3e786a809e6258dd23af3196c2584
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f6484ad02492a421a32a1a5f03bf84a891ad7ba4cccc72f3f4d0bfc93d92e75a
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 38119331208341AACB14FF60D896FBEB7E4EB95B51F4854ADF582560B2CF258A4AC712
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BED4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • CreateToolhelp32Snapshot.KERNEL32 ref: 00BED501
                                                                                                                                                                                                                                                                                                                                                                                  • Process32FirstW.KERNEL32(00000000,?), ref: 00BED50F
                                                                                                                                                                                                                                                                                                                                                                                  • Process32NextW.KERNEL32(00000000,?), ref: 00BED52F
                                                                                                                                                                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 00BED5DC
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 420147892-0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 8d1f2be4c294fce7e454106cd95cfeb7c23c317128fd8d4888b4c088bd741062
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 27baf873f0893ba89e1071ffdbf0a48cab7d241bfcf73a7cf205d69a6bedb142
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8d1f2be4c294fce7e454106cd95cfeb7c23c317128fd8d4888b4c088bd741062
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6B31BF31008340AFD300EF54C885BBFBBF8EF99354F5409ADF581821A1EBB19A48CB92
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BEDBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • lstrlenW.KERNEL32(?,00BC5222), ref: 00BEDBCE
                                                                                                                                                                                                                                                                                                                                                                                  • GetFileAttributesW.KERNEL32(?), ref: 00BEDBDD
                                                                                                                                                                                                                                                                                                                                                                                  • FindFirstFileW.KERNEL32(?,?), ref: 00BEDBEE
                                                                                                                                                                                                                                                                                                                                                                                  • FindClose.KERNEL32(00000000), ref: 00BEDBFA
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: FileFind$AttributesCloseFirstlstrlen
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 2695905019-0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 34e4aeeff8fb2ff5d4bb88c28434382371942c88ffa21bd9ca75c2d695efaf12
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: c088812154a859821568f0a470af6000cefc1396cdbe16b028e654ea80647200
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 34e4aeeff8fb2ff5d4bb88c28434382371942c88ffa21bd9ca75c2d695efaf12
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 25F0A7304505105783206B789C4D6AE37ACEE02374B208B42F436C11F0EBF099548596
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BDD21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: LocalTime
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: %.3d$X64
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 481472006-1077770165
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 5757c40165396027704da4ed68619e036b06021c4da35cce381ad62267e34690
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 740a904e9a2fed6507e8bd2bfa59c84fb8ed209eb4fc1e18e6d70a2d083ed227
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5757c40165396027704da4ed68619e036b06021c4da35cce381ad62267e34690
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 53D012A1848109EACF509BD0CCC59F9F3FCBB18341F5084E3F846D1140F634C5096B61
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BA4CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • GetCurrentProcess.KERNEL32(00BB28E9,?,00BA4CBE,00BB28E9,00C488B8,0000000C,00BA4E15,00BB28E9,00000002,00000000,?,00BB28E9), ref: 00BA4D09
                                                                                                                                                                                                                                                                                                                                                                                  • TerminateProcess.KERNEL32(00000000,?,00BA4CBE,00BB28E9,00C488B8,0000000C,00BA4E15,00BB28E9,00000002,00000000,?,00BB28E9), ref: 00BA4D10
                                                                                                                                                                                                                                                                                                                                                                                  • ExitProcess.KERNEL32 ref: 00BA4D22
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: Process$CurrentExitTerminate
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 1703294689-0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: ac042f9a621aab3825afc34dd8b0c5a332fce6d4101091aeb03731288af30d3f
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 9da1bd8c382e31fc74ce1019f6a88b6d9ba28cdf9619d6cd96dfed4d8b1f317c
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ac042f9a621aab3825afc34dd8b0c5a332fce6d4101091aeb03731288af30d3f
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 08E0B631044148AFCF11AF54DD49B9C7BA9FB83795B508065FD558A132DB75DE42CA80
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BDD27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • GetUserNameW.ADVAPI32(?,?), ref: 00BDD28C
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: NameUser
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: X64
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 2645101109-893830106
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 7bcfbd896bc6d43e96db21aac12930f8d3db5a78d78638173e8b3ace35d29a49
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: e1e496a9a26bee12ba7dbd10e64dd4a1cd65349622673faf074d1dd1c16938d7
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7bcfbd896bc6d43e96db21aac12930f8d3db5a78d78638173e8b3ace35d29a49
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 66D0C9B480111DEBCF94CB90DCC8EDDB7BCBB04345F104192F146A2100D73095488F10
                                                                                                                                                                                                                                                                                                                                                                                  Function 00C0AFF9 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                                                                                                                                                  control_flow_graph 0 c0aff9-c0b056 call ba2340 3 c0b094-c0b098 0->3 4 c0b058-c0b06b call b8b567 0->4 5 c0b09a-c0b0bb call b8b567 * 2 3->5 6 c0b0dd-c0b0e0 3->6 12 c0b0c8 4->12 13 c0b06d-c0b092 call b8b567 * 2 4->13 30 c0b0bf-c0b0c4 5->30 9 c0b0e2-c0b0e5 6->9 10 c0b0f5-c0b119 call b87510 call b87620 6->10 14 c0b0e8-c0b0ed call b8b567 9->14 32 c0b1d8-c0b1e0 10->32 33 c0b11f-c0b178 call b87510 call b87620 call b87510 call b87620 call b87510 call b87620 10->33 21 c0b0cb-c0b0cf 12->21 13->30 14->10 22 c0b0d1-c0b0d7 21->22 23 c0b0d9-c0b0db 21->23 22->14 23->6 23->10 30->6 34 c0b0c6 30->34 35 c0b1e2-c0b1fd call b87510 call b87620 32->35 36 c0b20a-c0b238 GetCurrentDirectoryW call b9fe0b GetCurrentDirectoryW 32->36 82 c0b1a6-c0b1d6 GetSystemDirectoryW call b9fe0b GetSystemDirectoryW 33->82 83 c0b17a-c0b195 call b87510 call b87620 33->83 34->21 35->36 53 c0b1ff-c0b208 call ba4963 35->53 44 c0b23c 36->44 47 c0b240-c0b244 44->47 50 c0b275-c0b285 call bf00d9 47->50 51 c0b246-c0b270 call b89c6e * 3 47->51 64 c0b287-c0b289 50->64 65 c0b28b-c0b2e1 call bf07c0 call bf06e6 call bf05a7 50->65 51->50 53->36 53->50 68 c0b2ee-c0b2f2 64->68 65->68 96 c0b2e3 65->96 70 c0b2f8-c0b321 call be11c8 68->70 71 c0b39a-c0b3be CreateProcessW 68->71 87 c0b323-c0b328 call be1201 70->87 88 c0b32a call be14ce 70->88 75 c0b3c1-c0b3d4 call b9fe14 * 2 71->75 101 c0b3d6-c0b3e8 75->101 102 c0b42f-c0b43d CloseHandle 75->102 82->44 83->82 109 c0b197-c0b1a0 call ba4963 83->109 100 c0b32f-c0b33c call ba4963 87->100 88->100 96->68 111 c0b347-c0b357 call ba4963 100->111 112 c0b33e-c0b345 100->112 107 c0b3ea 101->107 108 c0b3ed-c0b3fc 101->108 105 c0b49c 102->105 106 c0b43f-c0b444 102->106 117 c0b4a0-c0b4a4 105->117 113 c0b451-c0b456 106->113 114 c0b446-c0b44c CloseHandle 106->114 107->108 115 c0b401-c0b42a GetLastError call b8630c call b8cfa0 108->115 116 c0b3fe 108->116 109->47 109->82 134 c0b362-c0b372 call ba4963 111->134 135 c0b359-c0b360 111->135 112->111 112->112 121 c0b463-c0b468 113->121 122 c0b458-c0b45e CloseHandle 113->122 114->113 130 c0b4e5-c0b4f6 call bf0175 115->130 116->115 124 c0b4b2-c0b4bc 117->124 125 c0b4a6-c0b4b0 117->125 127 c0b475-c0b49a call bf09d9 call c0b536 121->127 128 c0b46a-c0b470 CloseHandle 121->128 122->121 131 c0b4c4-c0b4e3 call b8cfa0 CloseHandle 124->131 132 c0b4be 124->132 125->130 127->117 128->127 131->130 132->131 146 c0b374-c0b37b 134->146 147 c0b37d-c0b398 call b9fe14 * 3 134->147 135->134 135->135 146->146 146->147 147->75
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • _wcslen.LIBCMT ref: 00C0B198
                                                                                                                                                                                                                                                                                                                                                                                  • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00C0B1B0
                                                                                                                                                                                                                                                                                                                                                                                  • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00C0B1D4
                                                                                                                                                                                                                                                                                                                                                                                  • _wcslen.LIBCMT ref: 00C0B200
                                                                                                                                                                                                                                                                                                                                                                                  • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00C0B214
                                                                                                                                                                                                                                                                                                                                                                                  • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00C0B236
                                                                                                                                                                                                                                                                                                                                                                                  • _wcslen.LIBCMT ref: 00C0B332
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BF05A7: GetStdHandle.KERNEL32(000000F6), ref: 00BF05C6
                                                                                                                                                                                                                                                                                                                                                                                  • _wcslen.LIBCMT ref: 00C0B34B
                                                                                                                                                                                                                                                                                                                                                                                  • _wcslen.LIBCMT ref: 00C0B366
                                                                                                                                                                                                                                                                                                                                                                                  • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00C0B3B6
                                                                                                                                                                                                                                                                                                                                                                                  • GetLastError.KERNEL32(00000000), ref: 00C0B407
                                                                                                                                                                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(?), ref: 00C0B439
                                                                                                                                                                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 00C0B44A
                                                                                                                                                                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 00C0B45C
                                                                                                                                                                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 00C0B46E
                                                                                                                                                                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(?), ref: 00C0B4E3
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 2178637699-0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 37f066991a63bf821c32a4c04188a20ebd4a898bc80462a1a995410629528021
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 4fae4eaa476061d0aa8b266351a4dc0601d3d288c25922c843016e19df4e089f
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 37f066991a63bf821c32a4c04188a20ebd4a898bc80462a1a995410629528021
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 23F1AD716083409FCB14EF24C891B6EBBE5AF85714F14849DF8A99B2E2DB31ED44CB52
                                                                                                                                                                                                                                                                                                                                                                                  Function 00B8D730 Relevance: 21.6, APIs: 14, Instructions: 616windowsleeptimeCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • GetInputState.USER32 ref: 00B8D807
                                                                                                                                                                                                                                                                                                                                                                                  • timeGetTime.WINMM ref: 00B8DA07
                                                                                                                                                                                                                                                                                                                                                                                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00B8DB28
                                                                                                                                                                                                                                                                                                                                                                                  • TranslateMessage.USER32(?), ref: 00B8DB7B
                                                                                                                                                                                                                                                                                                                                                                                  • DispatchMessageW.USER32(?), ref: 00B8DB89
                                                                                                                                                                                                                                                                                                                                                                                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00B8DB9F
                                                                                                                                                                                                                                                                                                                                                                                  • Sleep.KERNEL32(0000000A), ref: 00B8DBB1
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 2189390790-0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 32b4b9622bcbd436c1b81f9d4e8a33e56e440d78b2cca14952c23b0ea4a1da8a
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: e22a10038c862c64bfc8a6d539c966c43ecd1c2924aa659ba466dbd7ea6f753d
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 32b4b9622bcbd436c1b81f9d4e8a33e56e440d78b2cca14952c23b0ea4a1da8a
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7D42B170608341AFD728EF24C884BAAF7E1FF56314F5485AAE555873E1E770E884CB92
                                                                                                                                                                                                                                                                                                                                                                                  Function 00B82CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53windowregistryCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • GetSysColorBrush.USER32(0000000F), ref: 00B82D07
                                                                                                                                                                                                                                                                                                                                                                                  • RegisterClassExW.USER32(00000030), ref: 00B82D31
                                                                                                                                                                                                                                                                                                                                                                                  • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00B82D42
                                                                                                                                                                                                                                                                                                                                                                                  • InitCommonControlsEx.COMCTL32(?), ref: 00B82D5F
                                                                                                                                                                                                                                                                                                                                                                                  • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00B82D6F
                                                                                                                                                                                                                                                                                                                                                                                  • LoadIconW.USER32(000000A9), ref: 00B82D85
                                                                                                                                                                                                                                                                                                                                                                                  • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00B82D94
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 2914291525-1005189915
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: e3c9c6a1e5dc533cf566880649de889b7f6af7ea0f4cd7940b44e567cef5341c
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 82f5e432c3320fc1f9c825f8e9cdaf439b38b20a5c2a792e95e9b952f25518a7
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e3c9c6a1e5dc533cf566880649de889b7f6af7ea0f4cd7940b44e567cef5341c
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2421C0B9941318AFDB00DFA4E889BDDBBB4FB09701F04811AF911B62A0D7B14584CF91
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BC065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                                                                                                                                                  control_flow_graph 457 bc065b-bc068b call bc042f 460 bc068d-bc0698 call baf2c6 457->460 461 bc06a6-bc06b2 call bb5221 457->461 468 bc069a-bc06a1 call baf2d9 460->468 466 bc06cb-bc0714 call bc039a 461->466 467 bc06b4-bc06c9 call baf2c6 call baf2d9 461->467 477 bc0716-bc071f 466->477 478 bc0781-bc078a GetFileType 466->478 467->468 475 bc097d-bc0983 468->475 482 bc0756-bc077c GetLastError call baf2a3 477->482 483 bc0721-bc0725 477->483 479 bc078c-bc07bd GetLastError call baf2a3 CloseHandle 478->479 480 bc07d3-bc07d6 478->480 479->468 494 bc07c3-bc07ce call baf2d9 479->494 486 bc07df-bc07e5 480->486 487 bc07d8-bc07dd 480->487 482->468 483->482 488 bc0727-bc0754 call bc039a 483->488 491 bc07e9-bc0837 call bb516a 486->491 492 bc07e7 486->492 487->491 488->478 488->482 499 bc0839-bc0845 call bc05ab 491->499 500 bc0847-bc086b call bc014d 491->500 492->491 494->468 499->500 506 bc086f-bc0879 call bb86ae 499->506 507 bc086d 500->507 508 bc087e-bc08c1 500->508 506->475 507->506 510 bc08e2-bc08f0 508->510 511 bc08c3-bc08c7 508->511 514 bc097b 510->514 515 bc08f6-bc08fa 510->515 511->510 513 bc08c9-bc08dd 511->513 513->510 514->475 515->514 516 bc08fc-bc092f CloseHandle call bc039a 515->516 519 bc0931-bc095d GetLastError call baf2a3 call bb5333 516->519 520 bc0963-bc0977 516->520 519->520 520->514
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BC039A: CreateFileW.KERNEL32(00000000,00000000,?,00BC0704,?,?,00000000,?,00BC0704,00000000,0000000C), ref: 00BC03B7
                                                                                                                                                                                                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00BC076F
                                                                                                                                                                                                                                                                                                                                                                                  • __dosmaperr.LIBCMT ref: 00BC0776
                                                                                                                                                                                                                                                                                                                                                                                  • GetFileType.KERNEL32(00000000), ref: 00BC0782
                                                                                                                                                                                                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00BC078C
                                                                                                                                                                                                                                                                                                                                                                                  • __dosmaperr.LIBCMT ref: 00BC0795
                                                                                                                                                                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 00BC07B5
                                                                                                                                                                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(?), ref: 00BC08FF
                                                                                                                                                                                                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00BC0931
                                                                                                                                                                                                                                                                                                                                                                                  • __dosmaperr.LIBCMT ref: 00BC0938
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: H
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 4237864984-2852464175
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 482910c3cba5dae4265830702a98940332dfaed277b78e8b747a4bd9024dff6a
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 3d261882f4a89ad89f856a77260a37d1e296003881ec35c7047a0d3a16f6e60e
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 482910c3cba5dae4265830702a98940332dfaed277b78e8b747a4bd9024dff6a
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: FAA10736A142058FDF19BFA8D891BED7BE0EB46320F14419DF815EB291D7319D12CB91
                                                                                                                                                                                                                                                                                                                                                                                  Function 00B8344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00B83A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00C51418,?,00B82E7F,?,?,?,00000000), ref: 00B83A78
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00B83357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00B83379
                                                                                                                                                                                                                                                                                                                                                                                  • RegOpenKeyExW.KERNEL32(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00B8356A
                                                                                                                                                                                                                                                                                                                                                                                  • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00BC318D
                                                                                                                                                                                                                                                                                                                                                                                  • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00BC31CE
                                                                                                                                                                                                                                                                                                                                                                                  • RegCloseKey.ADVAPI32(?), ref: 00BC3210
                                                                                                                                                                                                                                                                                                                                                                                  • _wcslen.LIBCMT ref: 00BC3277
                                                                                                                                                                                                                                                                                                                                                                                  • _wcslen.LIBCMT ref: 00BC3286
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 98802146-2727554177
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 93d328cd35b8c8227acfa2b8bbc68746708098501f1d88a986e030a718c587ce
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: af050542db7a26b8d595f815da6b7da7604f866ce2e3df03a1fc2d62775a352c
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 93d328cd35b8c8227acfa2b8bbc68746708098501f1d88a986e030a718c587ce
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 86715B755083019EC714EF65DC81AAFBBECFF9A740B80446EF545A7170EB349A88CB52
                                                                                                                                                                                                                                                                                                                                                                                  Function 00B82B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63windowregistryCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • GetSysColorBrush.USER32(0000000F), ref: 00B82B8E
                                                                                                                                                                                                                                                                                                                                                                                  • LoadCursorW.USER32(00000000,00007F00), ref: 00B82B9D
                                                                                                                                                                                                                                                                                                                                                                                  • LoadIconW.USER32(00000063), ref: 00B82BB3
                                                                                                                                                                                                                                                                                                                                                                                  • LoadIconW.USER32(000000A4), ref: 00B82BC5
                                                                                                                                                                                                                                                                                                                                                                                  • LoadIconW.USER32(000000A2), ref: 00B82BD7
                                                                                                                                                                                                                                                                                                                                                                                  • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00B82BEF
                                                                                                                                                                                                                                                                                                                                                                                  • RegisterClassExW.USER32(?), ref: 00B82C40
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00B82CD4: GetSysColorBrush.USER32(0000000F), ref: 00B82D07
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00B82CD4: RegisterClassExW.USER32(00000030), ref: 00B82D31
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00B82CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00B82D42
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00B82CD4: InitCommonControlsEx.COMCTL32(?), ref: 00B82D5F
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00B82CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00B82D6F
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00B82CD4: LoadIconW.USER32(000000A9), ref: 00B82D85
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00B82CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00B82D94
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: #$0$AutoIt v3
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 423443420-4155596026
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 29268f27bb3c01279fb42ca5e7659e6090e9b0f7be099caa548eee97eb834cf3
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: fcd16cb7310236c1ad0aff3be089f6a1b256466c3a128baadc27cc5cb5fe71e7
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 29268f27bb3c01279fb42ca5e7659e6090e9b0f7be099caa548eee97eb834cf3
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 31214F78E40314ABDB109F95ECA9BAD7FB4FB08B51F08415AFA00B66B0D3B14580CF90
                                                                                                                                                                                                                                                                                                                                                                                  Function 00B83170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145windowtimeregistryCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                                                                                                                                                  control_flow_graph 598 b83170-b83185 599 b831e5-b831e7 598->599 600 b83187-b8318a 598->600 599->600 601 b831e9 599->601 602 b831eb 600->602 603 b8318c-b83193 600->603 604 b831d0-b831d8 DefWindowProcW 601->604 605 bc2dfb-bc2e23 call b818e2 call b9e499 602->605 606 b831f1-b831f6 602->606 607 b83199-b8319e 603->607 608 b83265-b8326d PostQuitMessage 603->608 609 b831de-b831e4 604->609 640 bc2e28-bc2e2f 605->640 611 b831f8-b831fb 606->611 612 b8321d-b83244 SetTimer RegisterWindowMessageW 606->612 614 bc2e7c-bc2e90 call bebf30 607->614 615 b831a4-b831a8 607->615 610 b83219-b8321b 608->610 610->609 616 bc2d9c-bc2d9f 611->616 617 b83201-b8320f KillTimer call b830f2 611->617 612->610 619 b83246-b83251 CreatePopupMenu 612->619 614->610 631 bc2e96 614->631 620 bc2e68-bc2e72 call bec161 615->620 621 b831ae-b831b3 615->621 623 bc2dd7-bc2df6 MoveWindow 616->623 624 bc2da1-bc2da5 616->624 635 b83214 call b83c50 617->635 619->610 636 bc2e77 620->636 628 bc2e4d-bc2e54 621->628 629 b831b9-b831be 621->629 623->610 632 bc2dc6-bc2dd2 SetFocus 624->632 633 bc2da7-bc2daa 624->633 628->604 634 bc2e5a-bc2e63 call be0ad7 628->634 638 b83253-b83263 call b8326f 629->638 639 b831c4-b831ca 629->639 631->604 632->610 633->639 641 bc2db0-bc2dc1 call b818e2 633->641 634->604 635->610 636->610 638->610 639->604 639->640 640->604 646 bc2e35-bc2e48 call b830f2 call b83837 640->646 641->610 646->604
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,00B8316A,?,?), ref: 00B831D8
                                                                                                                                                                                                                                                                                                                                                                                  • KillTimer.USER32(?,00000001,?,?,?,?,?,00B8316A,?,?), ref: 00B83204
                                                                                                                                                                                                                                                                                                                                                                                  • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00B83227
                                                                                                                                                                                                                                                                                                                                                                                  • RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,00B8316A,?,?), ref: 00B83232
                                                                                                                                                                                                                                                                                                                                                                                  • CreatePopupMenu.USER32 ref: 00B83246
                                                                                                                                                                                                                                                                                                                                                                                  • PostQuitMessage.USER32(00000000), ref: 00B83267
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: TaskbarCreated
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 129472671-2362178303
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 2cc5385d9580f670e37b453a37b19025e5944cee83039238ed596de20819d1ad
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 39ed07b3296acf22c3caa974d9fff6e12979372b899d56a0aab84c3759b19c03
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2cc5385d9580f670e37b453a37b19025e5944cee83039238ed596de20819d1ad
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0E41E439240204A6DF147F789D9DBBD3AD9F706F41F0841A9FD02A62B1DBA19A80D7A1
                                                                                                                                                                                                                                                                                                                                                                                  Function 00B81410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332COMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                                                                                                                                                  control_flow_graph 654 b81410-b81449 655 bc24b8-bc24b9 DestroyWindow 654->655 656 b8144f-b81465 mciSendStringW 654->656 659 bc24c4-bc24d1 655->659 657 b8146b-b81473 656->657 658 b816c6-b816d3 656->658 657->659 660 b81479-b81488 call b8182e 657->660 661 b816f8-b816ff 658->661 662 b816d5-b816f0 UnregisterHotKey 658->662 663 bc2500-bc2507 659->663 664 bc24d3-bc24d6 659->664 675 bc250e-bc251a 660->675 676 b8148e-b81496 660->676 661->657 667 b81705 661->667 662->661 666 b816f2-b816f3 call b810d0 662->666 663->659 672 bc2509 663->672 668 bc24d8-bc24e0 call b86246 664->668 669 bc24e2-bc24e5 FindClose 664->669 666->661 667->658 674 bc24eb-bc24f8 668->674 669->674 672->675 674->663 678 bc24fa-bc24fb call bf32b1 674->678 681 bc251c-bc251e FreeLibrary 675->681 682 bc2524-bc252b 675->682 679 b8149c-b814c1 call b8cfa0 676->679 680 bc2532-bc253f 676->680 678->663 692 b814f8-b81503 CoUninitialize 679->692 693 b814c3 679->693 684 bc2566-bc256d 680->684 685 bc2541-bc255e VirtualFree 680->685 681->682 682->675 683 bc252d 682->683 683->680 684->680 689 bc256f 684->689 685->684 688 bc2560-bc2561 call bf3317 685->688 688->684 695 bc2574-bc2578 689->695 694 b81509-b8150e 692->694 692->695 696 b814c6-b814f6 call b81a05 call b819ae 693->696 697 bc2589-bc2596 call bf32eb 694->697 698 b81514-b8151e 694->698 695->694 699 bc257e-bc2584 695->699 696->692 710 bc2598 697->710 701 b81524-b815a5 call b8988f call b81944 call b817d5 call b9fe14 call b8177c call b8988f call b8cfa0 call b817fe call b9fe14 698->701 702 b81707-b81714 call b9f80e 698->702 699->694 716 bc259d-bc25bf call b9fdcd 701->716 744 b815ab-b815cf call b9fe14 701->744 702->701 715 b8171a 702->715 710->716 715->702 722 bc25c1 716->722 725 bc25c6-bc25e8 call b9fdcd 722->725 732 bc25ea 725->732 735 bc25ef-bc2611 call b9fdcd 732->735 741 bc2613 735->741 743 bc2618-bc2625 call be64d4 741->743 749 bc2627 743->749 744->725 750 b815d5-b815f9 call b9fe14 744->750 752 bc262c-bc2639 call b9ac64 749->752 750->735 755 b815ff-b81619 call b9fe14 750->755 758 bc263b 752->758 755->743 760 b8161f-b81643 call b817d5 call b9fe14 755->760 762 bc2640-bc264d call bf3245 758->762 760->752 769 b81649-b81651 760->769 768 bc264f 762->768 770 bc2654-bc2661 call bf32cc 768->770 769->762 771 b81657-b81675 call b8988f call b8190a 769->771 776 bc2663 770->776 771->770 780 b8167b-b81689 771->780 779 bc2668-bc2675 call bf32cc 776->779 785 bc2677 779->785 780->779 782 b8168f-b816c5 call b8988f * 3 call b81876 780->782 785->785
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00B81459
                                                                                                                                                                                                                                                                                                                                                                                  • CoUninitialize.COMBASE ref: 00B814F8
                                                                                                                                                                                                                                                                                                                                                                                  • UnregisterHotKey.USER32(?), ref: 00B816DD
                                                                                                                                                                                                                                                                                                                                                                                  • DestroyWindow.USER32(?), ref: 00BC24B9
                                                                                                                                                                                                                                                                                                                                                                                  • FreeLibrary.KERNEL32(?), ref: 00BC251E
                                                                                                                                                                                                                                                                                                                                                                                  • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00BC254B
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: close all
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 469580280-3243417748
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 01dd0f14b13aef7fa9259129447940e60e40dd170cae66fdf3c52643b57ae98a
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 5ad421a0d8414d113c4c4a8610efd01098e2e5ef2cb8a56eaaa25ee186890dfe
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 01dd0f14b13aef7fa9259129447940e60e40dd170cae66fdf3c52643b57ae98a
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 08D125716022128FDB19EF18C895F69F7E8BF15710F2486EDE54AAB261DB30AD12CF50
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BEDE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                                                                                                                                                  control_flow_graph 793 bede27-bede4a WSAStartup 794 bedee6-bedef2 call ba4983 793->794 795 bede50-bede71 gethostname gethostbyname 793->795 803 bedef3-bedef6 794->803 795->794 796 bede73-bede7a 795->796 798 bede7c-bede81 796->798 799 bede83-bede85 796->799 798->798 798->799 801 bede96-bededb call ba0e20 inet_ntoa call bad5f0 call beebd1 call ba4983 call b9fe14 799->801 802 bede87-bede94 call ba4983 799->802 808 bedede-bedee4 WSACleanup 801->808 802->808 808->803
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: 0.0.0.0
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 642191829-3771769585
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: d4b0098b2df6c83b2ece7e88aa85dbaf4dc2515ed8d31d4c57b1432ad9da423f
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 1b43e25259e73ca372dabddf14860bb7f1680804f4b8a68a711319e6e138d5cd
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d4b0098b2df6c83b2ece7e88aa85dbaf4dc2515ed8d31d4c57b1432ad9da423f
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9911B171904115AFDF20AB619C8AFEF77ECEB56711F0001E9F545AA091EFF1CA819AA0
                                                                                                                                                                                                                                                                                                                                                                                  Function 00B82C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                                                                                                                                                  control_flow_graph 827 b82c63-b82cd3 CreateWindowExW * 2 ShowWindow * 2
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00B82C91
                                                                                                                                                                                                                                                                                                                                                                                  • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00B82CB2
                                                                                                                                                                                                                                                                                                                                                                                  • ShowWindow.USER32(00000000,?,?,?,?,?,?,00B81CAD,?), ref: 00B82CC6
                                                                                                                                                                                                                                                                                                                                                                                  • ShowWindow.USER32(00000000,?,?,?,?,?,?,00B81CAD,?), ref: 00B82CCF
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: Window$CreateShow
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: AutoIt v3$edit
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 1584632944-3779509399
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: b14c60553d7603174488fb27cc13456b676da5b0a4a452f909ba778ec42638bc
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 70284d99920ec410c9aaec35d223d766da7209c2044434b040a1755ac64105cb
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b14c60553d7603174488fb27cc13456b676da5b0a4a452f909ba778ec42638bc
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: EAF03A795803907AEB301B13AC5CFBB2EBDE7C7F61F05401AFD00A21B0C6614880DAB0
                                                                                                                                                                                                                                                                                                                                                                                  Function 00B83B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                                                                                                                                                  control_flow_graph 978 b83b1c-b83b27 979 b83b99-b83b9b 978->979 980 b83b29-b83b2e 978->980 981 b83b8c-b83b8f 979->981 980->979 982 b83b30-b83b48 RegOpenKeyExW 980->982 982->979 983 b83b4a-b83b69 RegQueryValueExW 982->983 984 b83b6b-b83b76 983->984 985 b83b80-b83b8b RegCloseKey 983->985 986 b83b78-b83b7a 984->986 987 b83b90-b83b97 984->987 985->981 988 b83b7e 986->988 987->988 988->985
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • RegOpenKeyExW.KERNEL32(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00B83B0F,SwapMouseButtons,00000004,?), ref: 00B83B40
                                                                                                                                                                                                                                                                                                                                                                                  • RegQueryValueExW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00B83B0F,SwapMouseButtons,00000004,?), ref: 00B83B61
                                                                                                                                                                                                                                                                                                                                                                                  • RegCloseKey.KERNEL32(00000000,?,?,?,80000001,80000001,?,00B83B0F,SwapMouseButtons,00000004,?), ref: 00B83B83
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: CloseOpenQueryValue
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: Control Panel\Mouse
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 3677997916-824357125
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 737841449b1e89c57c82044b907f96cf712739d08df7bafba25614156afa5c5d
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 8976acad579f520f1c0914b0850383c16b4b7a98002115c574974bccd2a1d98d
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 737841449b1e89c57c82044b907f96cf712739d08df7bafba25614156afa5c5d
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: DF112AB5510208FFDB20DFA5DC84AEEB7F8EF05B84B108499B805D7120E2319F40D760
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BDD3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 29libraryloaderCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                                                                                                                                                  control_flow_graph 989 bdd3a0-bdd3a9 990 bdd3ab-bdd3b7 989->990 991 bdd376-bdd37b 989->991 993 bdd3c9 990->993 994 bdd3b9-bdd3c7 GetProcAddress 990->994 992 bdd292-bdd2a8 991->992 998 bdd2a9 992->998 996 bdd3ce-bdd3de 993->996 994->993 994->996 996->992 999 bdd3e4-bdd3eb FreeLibrary 996->999 998->998 999->992
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 00BDD3BF
                                                                                                                                                                                                                                                                                                                                                                                  • FreeLibrary.KERNEL32 ref: 00BDD3E5
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: AddressFreeLibraryProc
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: GetSystemWow64DirectoryW$X64
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 3013587201-2590602151
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 6c21ea10a387f21edb238bb8f10638317684dad1e13c84363e56e0a24a916477
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: bef6045579f53106f8a869d2f5bf411a363917af335fe14876d348f9705e5cc2
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6c21ea10a387f21edb238bb8f10638317684dad1e13c84363e56e0a24a916477
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9CF05C758C1A11ABCB310610CCD4FADF3A0FF02711BA982E6F881E2394F720CC808689
                                                                                                                                                                                                                                                                                                                                                                                  Function 00B8DFD0 Relevance: 6.7, APIs: 2, Strings: 1, Instructions: 1414COMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  • Variable must be of type 'Object'., xrefs: 00BD32B7
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: Variable must be of type 'Object'.
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 0-109567571
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 683cdd85ac67acceffd98a779f0c7ea892b393a0a69b79ba2cf9bc475e6eea8f
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 1c83a2977965d5fea3a906c21fd58339b90b28d9f5f3283d05bcae2ef08c6aed
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 683cdd85ac67acceffd98a779f0c7ea892b393a0a69b79ba2cf9bc475e6eea8f
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9FC28D75A00205CFCB24EF58C880AADB7F1FF19710F2485A9E925AB361E375ED41CB91
                                                                                                                                                                                                                                                                                                                                                                                  Function 00B8EC40 Relevance: 5.7, APIs: 3, Instructions: 1195COMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • __Init_thread_footer.LIBCMT ref: 00B8FE66
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: Init_thread_footer
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 1385522511-0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 284b1d52c81236b25247d796338964cddf64224648748471dd63359af41930c7
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: c0cfc561d2eada5c2bf3e1ae13b4d34e7c2cc45c5a4a87fa26a0ea7a0b3c468f
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 284b1d52c81236b25247d796338964cddf64224648748471dd63359af41930c7
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: CBB26A74608342CFDB14EF14C480A2AB7E1FF99314F2449AEE8959B361E771ED85CB92
                                                                                                                                                                                                                                                                                                                                                                                  Function 00B83923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00BC33A2
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00B86B57: _wcslen.LIBCMT ref: 00B86B6A
                                                                                                                                                                                                                                                                                                                                                                                  • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00B83A04
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: IconLoadNotifyShell_String_wcslen
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: Line:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 2289894680-1585850449
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 3d763fe2d129ab05f565ea7a4c15ffbb75cc2468eed1b23a944cffc028e075f0
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: b3bee8abe5cff71281dd31d0129583384da35434f7028b55f66f4dc1923fb459
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3d763fe2d129ab05f565ea7a4c15ffbb75cc2468eed1b23a944cffc028e075f0
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9431C571408304AAC725FB10DC59BEF77D8AB41B10F0445AEF99A920B1EB709649C7C6
                                                                                                                                                                                                                                                                                                                                                                                  Function 00B9FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 00BA0668
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BA32A4: RaiseException.KERNEL32(?,?,?,00BA068A,?,00C51444,?,?,?,?,?,?,00BA068A,00B81129,00C48738,00B81129), ref: 00BA3304
                                                                                                                                                                                                                                                                                                                                                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 00BA0685
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: Exception@8Throw$ExceptionRaise
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: Unknown exception
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 3476068407-410509341
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 1f5f03aea56ee66e0ef586013e0bc7b425e5eba1a3dc20ddc4564ef2d7bd114d
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: d7327153bb24430b9a740515a640b1a3f904e8fc1b27ded4f029a14bb717efc2
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1f5f03aea56ee66e0ef586013e0bc7b425e5eba1a3dc20ddc4564ef2d7bd114d
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: CFF0C83490830D778F04B668D886DAD7BEC9E42354F6041F1B914D5591EF71EA69C5D0
                                                                                                                                                                                                                                                                                                                                                                                  Function 00B810F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00B81BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00B81BF4
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00B81BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00B81BFC
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00B81BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00B81C07
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00B81BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00B81C12
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00B81BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00B81C1A
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00B81BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00B81C22
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00B81B4A: RegisterWindowMessageW.USER32(00000004,?,00B812C4), ref: 00B81BA2
                                                                                                                                                                                                                                                                                                                                                                                  • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00B8136A
                                                                                                                                                                                                                                                                                                                                                                                  • OleInitialize.OLE32 ref: 00B81388
                                                                                                                                                                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000,00000000), ref: 00BC24AB
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 1986988660-0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: af87682b3e739e34e5101967c1b2f8e98b98f0422c339c2ea31e1fd0084f4ac2
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 9741faa1b6a21b8b9364f2199a4697e7fccad470abf214a41d90c4d58a58f8b1
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: af87682b3e739e34e5101967c1b2f8e98b98f0422c339c2ea31e1fd0084f4ac2
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6B71AFBC9113008ECB84EF79A84D7593AE4EB8935679D856AEC0AE7271FB3044C5CF44
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BEC161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00B83923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00B83A04
                                                                                                                                                                                                                                                                                                                                                                                  • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00BEC259
                                                                                                                                                                                                                                                                                                                                                                                  • KillTimer.USER32(?,00000001,?,?), ref: 00BEC261
                                                                                                                                                                                                                                                                                                                                                                                  • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00BEC270
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: IconNotifyShell_Timer$Kill
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 3500052701-0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 9bfffe16505ec1627e67ee382d29dff5ac4469466d5609c36818d36249fd17e5
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 23cefd8ddf047cd65b3cd621d46d10161fcae68822c703cdf499aeeacd699265
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9bfffe16505ec1627e67ee382d29dff5ac4469466d5609c36818d36249fd17e5
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: FF31C570904384AFEB229F658895BEBBFECAF07304F0444D9E6DAA7241C7745A85CB51
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BB86AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000,00000000,?,?,00BB85CC,?,00C48CC8,0000000C), ref: 00BB8704
                                                                                                                                                                                                                                                                                                                                                                                  • GetLastError.KERNEL32(?,00BB85CC,?,00C48CC8,0000000C), ref: 00BB870E
                                                                                                                                                                                                                                                                                                                                                                                  • __dosmaperr.LIBCMT ref: 00BB8739
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: CloseErrorHandleLast__dosmaperr
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 2583163307-0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 921107fb373bda430216816945bc743543ebacde9bb8742df0cdb5c3fcb4ba45
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: f87c4bd37b9548b1c6ad1a6e38ae1bd294dde064a2f925896eb895b585b60ae1
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 921107fb373bda430216816945bc743543ebacde9bb8742df0cdb5c3fcb4ba45
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: DD012B3260572027D6747274A8857FE67CD8B82778F3902D9F81A9B1D2DEE08C81C155
                                                                                                                                                                                                                                                                                                                                                                                  Function 00B8DB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • TranslateMessage.USER32(?), ref: 00B8DB7B
                                                                                                                                                                                                                                                                                                                                                                                  • DispatchMessageW.USER32(?), ref: 00B8DB89
                                                                                                                                                                                                                                                                                                                                                                                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00B8DB9F
                                                                                                                                                                                                                                                                                                                                                                                  • Sleep.KERNEL32(0000000A), ref: 00B8DBB1
                                                                                                                                                                                                                                                                                                                                                                                  • TranslateAcceleratorW.USER32(?,?,?), ref: 00BD1CC9
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: Message$Translate$AcceleratorDispatchPeekSleep
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 3288985973-0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 47b4d6658535c255a46eb5be66f803dad9060b636926d7c3a24cd494ee7d9d32
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: d247bd8c3f7aedab78e5b76ef9b9fe0939fbae9e6dea621bbf500bc21ee53d19
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 47b4d6658535c255a46eb5be66f803dad9060b636926d7c3a24cd494ee7d9d32
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 50F05E306543409BEB30DB60CC89FEA73E9EB45311F14496AF61A870D0EB709488CB15
                                                                                                                                                                                                                                                                                                                                                                                  Function 00B91310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • __Init_thread_footer.LIBCMT ref: 00B917F6
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: Init_thread_footer
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: CALL
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 1385522511-4196123274
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: fe9ec8bf34dfb10eb47d9af1fd80ce5470096fb61e8e0297effcbc2feaf517d9
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 3e7f6a1974766b9fc0cd0a2b2fd353153a4fd8b4fe5a1724ed44a7dcc05198e5
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: fe9ec8bf34dfb10eb47d9af1fd80ce5470096fb61e8e0297effcbc2feaf517d9
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: FB2269746082029FCB14DF18C490B2ABBF1FF99314F2589ADF4968B3A1D731E845DB92
                                                                                                                                                                                                                                                                                                                                                                                  Function 00B901E0 Relevance: 3.6, APIs: 2, Instructions: 643COMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 9f48646d7d8b5214431b1addefcf700fd67955c88879959f7c2e17fa510d4630
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: b72ace59dd407510d66f08f67b51ed9a6fbbccaf436684292256b9aeedc70fb6
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9f48646d7d8b5214431b1addefcf700fd67955c88879959f7c2e17fa510d4630
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 14327C70A006059FDF24EF54C885BAEB7F1EF15310F1485AAE916AB3A1E731ED44CB91
                                                                                                                                                                                                                                                                                                                                                                                  Function 00B82DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • GetOpenFileNameW.COMDLG32(?), ref: 00BC2C8C
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00B83AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00B83A97,?,?,00B82E7F,?,?,?,00000000), ref: 00B83AC2
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00B82DA5: GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 00B82DC4
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: Name$Path$FileFullLongOpen
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: X
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 779396738-3081909835
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 627cef083e7f0319fc576604a7d82f48acabfabd375bd9572b2af89e0085503e
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 04e851ec0739f2f01020bdba917fe1bdd2d3b0a9e795646213fe8157a9af9edc
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 627cef083e7f0319fc576604a7d82f48acabfabd375bd9572b2af89e0085503e
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9221A271A002589FDF01EF98C849BEE7BF8EF49715F008099E505B7251DBB49A89CFA1
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BDD363 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 11COMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • GetComputerNameW.KERNEL32(?,?), ref: 00BDD375
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: ComputerName
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: X64
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 3545744682-893830106
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: e3a1a67c2d575d9a27c8bbd1a3c4320b81f4b76a3196359adda51fe5c3e1cac2
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: b03285a1272066ebe79a61b04831afdd8bdf24cbd8e61791a34ba1040cbb133d
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e3a1a67c2d575d9a27c8bbd1a3c4320b81f4b76a3196359adda51fe5c3e1cac2
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 98D0C9B584511CEBCB94CB40DCC8EDDF3BCBB04341F508192F042A2100E73095489B10
                                                                                                                                                                                                                                                                                                                                                                                  Function 00B83837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • Shell_NotifyIconW.SHELL32(00000000,?), ref: 00B83908
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: IconNotifyShell_
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 1144537725-0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: f6bb85f2465f6cff999bb6c9a16a0e7e0bc65be7712ab520c912d2d0d0dc74c1
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: d962d2a4ee38eb8085788b70c4795abb5b3669ce0e38965edb33972275c40b8e
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f6bb85f2465f6cff999bb6c9a16a0e7e0bc65be7712ab520c912d2d0d0dc74c1
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A231D870504301DFD720EF24D8947ABBBF4FB49B09F04096EF99A93260E771AA44CB52
                                                                                                                                                                                                                                                                                                                                                                                  Function 00B9F645 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • timeGetTime.WINMM ref: 00B9F661
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00B8D730: GetInputState.USER32 ref: 00B8D807
                                                                                                                                                                                                                                                                                                                                                                                  • Sleep.KERNEL32(00000000), ref: 00BDF2DE
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: InputSleepStateTimetime
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 4149333218-0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 72901e05ffa9dc8d372f956859849b4cb875adcbb8fc9e00f710f98b1bde4d93
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 0942acc16ed620f7b1e2bc30f1b16c5df5444dd5c9f59a072028b54c4535ce85
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 72901e05ffa9dc8d372f956859849b4cb875adcbb8fc9e00f710f98b1bde4d93
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F6F05E712802059FD310EB75D455FAABBE4FB56760F00406AF859C72A1DB60A800CB90
                                                                                                                                                                                                                                                                                                                                                                                  Function 00B8B710 Relevance: 2.1, APIs: 1, Instructions: 587COMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • __Init_thread_footer.LIBCMT ref: 00B8BB4E
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: Init_thread_footer
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 1385522511-0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: cd110a0194fd65acd3cacd483d72a85f2b735671726914623314714407f9a069
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: c571bce45a59b26da9ceba2af3232d9ef783d21f6e71a35ed031fb355db6eda9
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: cd110a0194fd65acd3cacd483d72a85f2b735671726914623314714407f9a069
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 35328B74A002099FDB24EF64C894FBEB7F9EB45310F14809AE905AB361E774ED81CB55
                                                                                                                                                                                                                                                                                                                                                                                  Function 00B84ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00B84E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00B84EDD,?,00C51418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00B84E9C
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00B84E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00B84EAE
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00B84E90: FreeLibrary.KERNEL32(00000000,?,?,00B84EDD,?,00C51418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00B84EC0
                                                                                                                                                                                                                                                                                                                                                                                  • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00C51418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00B84EFD
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00B84E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00BC3CDE,?,00C51418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00B84E62
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00B84E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00B84E74
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00B84E59: FreeLibrary.KERNEL32(00000000,?,?,00BC3CDE,?,00C51418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00B84E87
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: Library$Load$AddressFreeProc
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 2632591731-0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: a92957b864a241654020db54e19c2a5bf0af98efb2024f27bcc89b5831cb9852
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 16ee63ec8a5d650a061ceba16a48bc4e5a0d354e11e91d8b5f7858271e828104
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a92957b864a241654020db54e19c2a5bf0af98efb2024f27bcc89b5831cb9852
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2111C132600306AACB24BB60DC42FED77E5AF50B15F1084AEF646A61E1EF709A45D750
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BB8402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: __wsopen_s
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 3347428461-0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: e794dab4ef6368839fad4f217c24717770497eb3879fbda1a58d6eca774732dc
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 26726c99554a5a6a1d2d35ccbbcdcfe2bcd8b25f145b372994b78685d6b39867
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e794dab4ef6368839fad4f217c24717770497eb3879fbda1a58d6eca774732dc
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: FC11187590420AAFCF05DF58E941AEE7BF9EF48314F104099FC08AB312DA71DA11CBA5
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BAE602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 13b46511b4790e66335a1948b778ce75b99150e564096cc9ce7aac895715f464
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C0F0F432514A10A7D6313A6D9C09BAA33DC9F53330F100FE5F435922D2DBB0D80586A5
                                                                                                                                                                                                                                                                                                                                                                                  Function 00B89CB3 Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: _wcslen
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 176396367-0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: b66f2ccc6a42f866386a2c3f527481c72d49d8aa6e16cad6a22e3b4c4ac6860b
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: a600de553b18b7fec830555c75ca3bfc0ceaa82ee5ab54d68f55e9e63529489b
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b66f2ccc6a42f866386a2c3f527481c72d49d8aa6e16cad6a22e3b4c4ac6860b
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F9F0C8B36006016EDB14AF28D806A67BBD8EF44770F14857AF619CB1D1DB71E510CBA4
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BB3820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • RtlAllocateHeap.NTDLL(00000000,?,00C51444,?,00B9FDF5,?,?,00B8A976,00000010,00C51440,00B813FC,?,00B813C6,?,00B81129), ref: 00BB3852
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: AllocateHeap
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 1279760036-0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 13f438f6e11c10d4599d4234d4091484335c36a0d3b9d6c74555b8badf62f463
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: ef42d5894c65510ff0734b5206d86c50647cc08af868d27aa098c857b7355064
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 13f438f6e11c10d4599d4234d4091484335c36a0d3b9d6c74555b8badf62f463
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A9E0E531144224ABD72126AADC04BFA36C8FB83FB0F1600F0BC0492490EBD1DD0183E2
                                                                                                                                                                                                                                                                                                                                                                                  Function 00B84F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • FreeLibrary.KERNEL32(?,?,00C51418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00B84F6D
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: FreeLibrary
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 3664257935-0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 6cea8c5f08a47daccb9f2f617f421422260b3a2c2aa9a568636a90cc2088744c
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: d6da145e24400f2d7f78ab107015edb0a7cec6ad565bf421406f5340caa5bc3a
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6cea8c5f08a47daccb9f2f617f421422260b3a2c2aa9a568636a90cc2088744c
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 78F01571105752CFDB34AF64D490926BBE4FF153293258AAEE2EE82621C731D844DB10
                                                                                                                                                                                                                                                                                                                                                                                  Function 00C12A55 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • IsWindow.USER32(00000000), ref: 00C12A66
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: Window
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 2353593579-0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: ab2d6cc887bd3612a39307571ba24429b45a790f24c44c2437b78576512751dc
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: e67d87f98ccab941424a0796f1bc3431eab2115884a64a500f21bd0a6981e553
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ab2d6cc887bd3612a39307571ba24429b45a790f24c44c2437b78576512751dc
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: BBE04F3A39011AAACB14EA31DC849FE779CEF52395710457ABD26D2100DB34AAA5A6A0
                                                                                                                                                                                                                                                                                                                                                                                  Function 00B830F2 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • Shell_NotifyIconW.SHELL32(00000002,?), ref: 00B8314E
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: IconNotifyShell_
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 1144537725-0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 614b5678ceb1cee3f67c235deb31b01878f5b341f62ef47cac6919e3a8f27609
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 7598af32b2f70e0aa8f12d8d383c8fa42ef108032f84867d9df2b9e44799f369
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 614b5678ceb1cee3f67c235deb31b01878f5b341f62ef47cac6919e3a8f27609
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 19F037749143149FEB529B24DC497D97BFCB701708F0400E5A548A61A1D77457C8CF51
                                                                                                                                                                                                                                                                                                                                                                                  Function 00B82DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 00B82DC4
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00B86B57: _wcslen.LIBCMT ref: 00B86B6A
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: LongNamePath_wcslen
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 541455249-0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 21ae686b76b7f86527678ec64b63f5f748e8b943a9c2419a0aec8d639a539dc7
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: d88604577d1257d3624fb72d6ba8109d6fef6ce4a9f0fa5ad3f84aff919b1ae4
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 21ae686b76b7f86527678ec64b63f5f748e8b943a9c2419a0aec8d639a539dc7
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 14E0CD726002245BC710A2589C06FDA77DDDFC9790F0440B5FD09E7258D970ED80C650
                                                                                                                                                                                                                                                                                                                                                                                  Function 00B82B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00B83837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00B83908
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00B8D730: GetInputState.USER32 ref: 00B8D807
                                                                                                                                                                                                                                                                                                                                                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 00B82B6B
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00B830F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 00B8314E
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: IconNotifyShell_$CurrentDirectoryInputState
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 3667716007-0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 95775688e75079fcca995c8dc0977b1db606033699b569d397628836dd7f563d
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: f800db3fa7c62a3d6e4b8448957b1973b84a89fa8c2deb7e9673b68e347d168b
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 95775688e75079fcca995c8dc0977b1db606033699b569d397628836dd7f563d
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 80E0262130024406CA04BB30A856BBDA3C99BD1B52F4415BEF542431B2CF208989C312
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BEDF27 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?), ref: 00BEDF40
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00B86B57: _wcslen.LIBCMT ref: 00B86B6A
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: FolderPath_wcslen
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 2987691875-0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: a5681e6db2f77445c206af1db32d95f39ae4455076022cfd85bde46e5304223f
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 4b70ce4973e794e757ac9aa855f636c166b73fa12a25579529c4406e6afae6a5
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a5681e6db2f77445c206af1db32d95f39ae4455076022cfd85bde46e5304223f
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: CED05EA2A002282BDF60A6749C0EEFB3AACDB40214F0006A0796DD3152E920DD4486B0
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BC039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • CreateFileW.KERNEL32(00000000,00000000,?,00BC0704,?,?,00000000,?,00BC0704,00000000,0000000C), ref: 00BC03B7
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: CreateFile
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 823142352-0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 443f7561276f27181b4a65265524ae48e575d748346bb699eedde576f3e9719d
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 096e4efbbfdccd5e0815386644055a7efba8ecfd2815d344b3799cb89e9e51fc
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 443f7561276f27181b4a65265524ae48e575d748346bb699eedde576f3e9719d
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9CD06C3208010DBBDF028F84DD46EDE3BAAFB48714F118000BE1856020C732E821AB90
                                                                                                                                                                                                                                                                                                                                                                                  Function 00B81CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00B81CBC
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: InfoParametersSystem
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 3098949447-0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 61b4eed9f830b899fe21cc3cd045aca0256c513e8e2aa4bf11bfd4c8a698f584
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: f49462518764e73b901dcedfa509f749c52e964eb945d974d7bef55f5bd8c237
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 61b4eed9f830b899fe21cc3cd045aca0256c513e8e2aa4bf11bfd4c8a698f584
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5CC09B392C03049FF2154B80BC5EF587755B349B01F448401F609755F3D3A11450F650

                                                                                                                                                                                                                                                                                                                                                                                  Non-executed Functions

                                                                                                                                                                                                                                                                                                                                                                                  Function 00C19576 Relevance: 74.1, APIs: 39, Strings: 3, Instructions: 625windowkeyboardCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00B99BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00B99BB2
                                                                                                                                                                                                                                                                                                                                                                                  • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00C1961A
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00C1965B
                                                                                                                                                                                                                                                                                                                                                                                  • GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 00C1969F
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00C196C9
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32 ref: 00C196F2
                                                                                                                                                                                                                                                                                                                                                                                  • GetKeyState.USER32(00000011), ref: 00C1978B
                                                                                                                                                                                                                                                                                                                                                                                  • GetKeyState.USER32(00000009), ref: 00C19798
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00C197AE
                                                                                                                                                                                                                                                                                                                                                                                  • GetKeyState.USER32(00000010), ref: 00C197B8
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00C197E9
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32 ref: 00C19810
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00001030,?,00C17E95), ref: 00C19918
                                                                                                                                                                                                                                                                                                                                                                                  • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00C1992E
                                                                                                                                                                                                                                                                                                                                                                                  • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00C19941
                                                                                                                                                                                                                                                                                                                                                                                  • SetCapture.USER32(?), ref: 00C1994A
                                                                                                                                                                                                                                                                                                                                                                                  • ClientToScreen.USER32(?,?), ref: 00C199AF
                                                                                                                                                                                                                                                                                                                                                                                  • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00C199BC
                                                                                                                                                                                                                                                                                                                                                                                  • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00C199D6
                                                                                                                                                                                                                                                                                                                                                                                  • ReleaseCapture.USER32 ref: 00C199E1
                                                                                                                                                                                                                                                                                                                                                                                  • GetCursorPos.USER32(?), ref: 00C19A19
                                                                                                                                                                                                                                                                                                                                                                                  • ScreenToClient.USER32(?,?), ref: 00C19A26
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00001012,00000000,?), ref: 00C19A80
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32 ref: 00C19AAE
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00001111,00000000,?), ref: 00C19AEB
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32 ref: 00C19B1A
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00C19B3B
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(?,0000110B,00000009,?), ref: 00C19B4A
                                                                                                                                                                                                                                                                                                                                                                                  • GetCursorPos.USER32(?), ref: 00C19B68
                                                                                                                                                                                                                                                                                                                                                                                  • ScreenToClient.USER32(?,?), ref: 00C19B75
                                                                                                                                                                                                                                                                                                                                                                                  • GetParent.USER32(?), ref: 00C19B93
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00001012,00000000,?), ref: 00C19BFA
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32 ref: 00C19C2B
                                                                                                                                                                                                                                                                                                                                                                                  • ClientToScreen.USER32(?,?), ref: 00C19C84
                                                                                                                                                                                                                                                                                                                                                                                  • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00C19CB4
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00001111,00000000,?), ref: 00C19CDE
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32 ref: 00C19D01
                                                                                                                                                                                                                                                                                                                                                                                  • ClientToScreen.USER32(?,?), ref: 00C19D4E
                                                                                                                                                                                                                                                                                                                                                                                  • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00C19D82
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00B99944: GetWindowLongW.USER32(?,000000EB), ref: 00B99952
                                                                                                                                                                                                                                                                                                                                                                                  • GetWindowLongW.USER32(?,000000F0), ref: 00C19E05
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: @GUI_DRAGID$@U=u$F
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 3429851547-1007936534
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 434dac46bd12f84358c226944c20d11f1c3f7941cde7f293760195421d7e04ec
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: d49826eccd40bead4580dfa4a6396d3a003e6db1a2494d96feb111e202a3ffcb
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 434dac46bd12f84358c226944c20d11f1c3f7941cde7f293760195421d7e04ec
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 29428E74204601EFDB24CF24CC94BEABBF5FF8A310F144629F9A9972A1D7319990EB51
                                                                                                                                                                                                                                                                                                                                                                                  Function 00C14873 Relevance: 61.8, APIs: 33, Strings: 2, Instructions: 566windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 00C148F3
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00C14908
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00C14927
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00000148,00000000,00000000), ref: 00C1494B
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 00C1495C
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 00C1497B
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 00C149AE
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 00C149D4
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00C14A0F
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00C14A56
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00C14A7E
                                                                                                                                                                                                                                                                                                                                                                                  • IsMenu.USER32(?), ref: 00C14A97
                                                                                                                                                                                                                                                                                                                                                                                  • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00C14AF2
                                                                                                                                                                                                                                                                                                                                                                                  • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00C14B20
                                                                                                                                                                                                                                                                                                                                                                                  • GetWindowLongW.USER32(?,000000F0), ref: 00C14B94
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00C14BE3
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00C14C82
                                                                                                                                                                                                                                                                                                                                                                                  • wsprintfW.USER32 ref: 00C14CAE
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00C14CC9
                                                                                                                                                                                                                                                                                                                                                                                  • GetWindowTextW.USER32(?,00000000,00000001), ref: 00C14CF1
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00C14D13
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00C14D33
                                                                                                                                                                                                                                                                                                                                                                                  • GetWindowTextW.USER32(?,00000000,00000001), ref: 00C14D5A
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: %d/%02d/%02d$@U=u
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 4054740463-2764005415
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 48498078d29601fc97c6f0df35bb714f107d891d8b1cf7bbfb658d720848b421
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: eb749a9980ad56d9a601465e9ef56fba30b4284f7e6f881039225295dcb334e9
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 48498078d29601fc97c6f0df35bb714f107d891d8b1cf7bbfb658d720848b421
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9712FE71600204ABEB289F68CC49FEE7BF8FF46310F104169F525EA2E1DB749A81DB50
                                                                                                                                                                                                                                                                                                                                                                                  Function 00B9F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 00B9F998
                                                                                                                                                                                                                                                                                                                                                                                  • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00BDF474
                                                                                                                                                                                                                                                                                                                                                                                  • IsIconic.USER32(00000000), ref: 00BDF47D
                                                                                                                                                                                                                                                                                                                                                                                  • ShowWindow.USER32(00000000,00000009), ref: 00BDF48A
                                                                                                                                                                                                                                                                                                                                                                                  • SetForegroundWindow.USER32(00000000), ref: 00BDF494
                                                                                                                                                                                                                                                                                                                                                                                  • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00BDF4AA
                                                                                                                                                                                                                                                                                                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 00BDF4B1
                                                                                                                                                                                                                                                                                                                                                                                  • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00BDF4BD
                                                                                                                                                                                                                                                                                                                                                                                  • AttachThreadInput.USER32(?,00000000,00000001), ref: 00BDF4CE
                                                                                                                                                                                                                                                                                                                                                                                  • AttachThreadInput.USER32(?,00000000,00000001), ref: 00BDF4D6
                                                                                                                                                                                                                                                                                                                                                                                  • AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 00BDF4DE
                                                                                                                                                                                                                                                                                                                                                                                  • SetForegroundWindow.USER32(00000000), ref: 00BDF4E1
                                                                                                                                                                                                                                                                                                                                                                                  • MapVirtualKeyW.USER32(00000012,00000000), ref: 00BDF4F6
                                                                                                                                                                                                                                                                                                                                                                                  • keybd_event.USER32(00000012,00000000), ref: 00BDF501
                                                                                                                                                                                                                                                                                                                                                                                  • MapVirtualKeyW.USER32(00000012,00000000), ref: 00BDF50B
                                                                                                                                                                                                                                                                                                                                                                                  • keybd_event.USER32(00000012,00000000), ref: 00BDF510
                                                                                                                                                                                                                                                                                                                                                                                  • MapVirtualKeyW.USER32(00000012,00000000), ref: 00BDF519
                                                                                                                                                                                                                                                                                                                                                                                  • keybd_event.USER32(00000012,00000000), ref: 00BDF51E
                                                                                                                                                                                                                                                                                                                                                                                  • MapVirtualKeyW.USER32(00000012,00000000), ref: 00BDF528
                                                                                                                                                                                                                                                                                                                                                                                  • keybd_event.USER32(00000012,00000000), ref: 00BDF52D
                                                                                                                                                                                                                                                                                                                                                                                  • SetForegroundWindow.USER32(00000000), ref: 00BDF530
                                                                                                                                                                                                                                                                                                                                                                                  • AttachThreadInput.USER32(?,000000FF,00000000), ref: 00BDF557
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: Shell_TrayWnd
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 4125248594-2988720461
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 56999eaabe8b0c733b35c6e71754e1d3ee41ae2f0fd05fdc0375e39f25880ca4
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: ab607e37dac4184ac261b84ddfa8a5f8fd9c220f09987906f655055f66908e23
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 56999eaabe8b0c733b35c6e71754e1d3ee41ae2f0fd05fdc0375e39f25880ca4
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C9318771A84319BBEB206BB55C8AFFF7EADFB45B50F104066F601E61D1D6B05D00AAA0
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BE1201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BE16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00BE170D
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BE16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00BE173A
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BE16C3: GetLastError.KERNEL32 ref: 00BE174A
                                                                                                                                                                                                                                                                                                                                                                                  • LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00BE1286
                                                                                                                                                                                                                                                                                                                                                                                  • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 00BE12A8
                                                                                                                                                                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(?), ref: 00BE12B9
                                                                                                                                                                                                                                                                                                                                                                                  • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00BE12D1
                                                                                                                                                                                                                                                                                                                                                                                  • GetProcessWindowStation.USER32 ref: 00BE12EA
                                                                                                                                                                                                                                                                                                                                                                                  • SetProcessWindowStation.USER32(00000000), ref: 00BE12F4
                                                                                                                                                                                                                                                                                                                                                                                  • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00BE1310
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BE10BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00BE11FC), ref: 00BE10D4
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BE10BF: CloseHandle.KERNEL32(?,?,00BE11FC), ref: 00BE10E9
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: $default$winsta0
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 22674027-1027155976
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 9f1d2ae4483c8ce4e497b960a92732db7e30c07b8612df12b0def0e48962d610
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: d5c948e3f0591fd66be8406d5950c166b3ed8b64f4e0dade142239af32e59d14
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9f1d2ae4483c8ce4e497b960a92732db7e30c07b8612df12b0def0e48962d610
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 99818C71940289ABDF119FA9DC89BEE7BF9FF05700F2485A9F911B62A0C7748944CF60
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BE0B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BE10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00BE1114
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BE10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00BE0B9B,?,?,?), ref: 00BE1120
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BE10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00BE0B9B,?,?,?), ref: 00BE112F
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BE10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00BE0B9B,?,?,?), ref: 00BE1136
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BE10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00BE114D
                                                                                                                                                                                                                                                                                                                                                                                  • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00BE0BCC
                                                                                                                                                                                                                                                                                                                                                                                  • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00BE0C00
                                                                                                                                                                                                                                                                                                                                                                                  • GetLengthSid.ADVAPI32(?), ref: 00BE0C17
                                                                                                                                                                                                                                                                                                                                                                                  • GetAce.ADVAPI32(?,00000000,?), ref: 00BE0C51
                                                                                                                                                                                                                                                                                                                                                                                  • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00BE0C6D
                                                                                                                                                                                                                                                                                                                                                                                  • GetLengthSid.ADVAPI32(?), ref: 00BE0C84
                                                                                                                                                                                                                                                                                                                                                                                  • GetProcessHeap.KERNEL32(00000008,00000008), ref: 00BE0C8C
                                                                                                                                                                                                                                                                                                                                                                                  • HeapAlloc.KERNEL32(00000000), ref: 00BE0C93
                                                                                                                                                                                                                                                                                                                                                                                  • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00BE0CB4
                                                                                                                                                                                                                                                                                                                                                                                  • CopySid.ADVAPI32(00000000), ref: 00BE0CBB
                                                                                                                                                                                                                                                                                                                                                                                  • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00BE0CEA
                                                                                                                                                                                                                                                                                                                                                                                  • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00BE0D0C
                                                                                                                                                                                                                                                                                                                                                                                  • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00BE0D1E
                                                                                                                                                                                                                                                                                                                                                                                  • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00BE0D45
                                                                                                                                                                                                                                                                                                                                                                                  • HeapFree.KERNEL32(00000000), ref: 00BE0D4C
                                                                                                                                                                                                                                                                                                                                                                                  • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00BE0D55
                                                                                                                                                                                                                                                                                                                                                                                  • HeapFree.KERNEL32(00000000), ref: 00BE0D5C
                                                                                                                                                                                                                                                                                                                                                                                  • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00BE0D65
                                                                                                                                                                                                                                                                                                                                                                                  • HeapFree.KERNEL32(00000000), ref: 00BE0D6C
                                                                                                                                                                                                                                                                                                                                                                                  • GetProcessHeap.KERNEL32(00000000,?), ref: 00BE0D78
                                                                                                                                                                                                                                                                                                                                                                                  • HeapFree.KERNEL32(00000000), ref: 00BE0D7F
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BE1193: GetProcessHeap.KERNEL32(00000008,00BE0BB1,?,00000000,?,00BE0BB1,?), ref: 00BE11A1
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BE1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00BE0BB1,?), ref: 00BE11A8
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BE1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00BE0BB1,?), ref: 00BE11B7
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 4175595110-0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 126b148367a2baf86f7aa431daaa936dbc8b7744feb8a6f23a0efb282649a8b1
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: b2fa422a6332985febc658ab1272f7417a20f3c7ea474241f854ccedf6b98d94
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 126b148367a2baf86f7aa431daaa936dbc8b7744feb8a6f23a0efb282649a8b1
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4371AC7194024AFBDF10EFA5DC84BEEBBB8FF09300F1485A5F904A6290D7B4A941CB60
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BFEAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • OpenClipboard.USER32(00C1CC08), ref: 00BFEB29
                                                                                                                                                                                                                                                                                                                                                                                  • IsClipboardFormatAvailable.USER32(0000000D), ref: 00BFEB37
                                                                                                                                                                                                                                                                                                                                                                                  • GetClipboardData.USER32(0000000D), ref: 00BFEB43
                                                                                                                                                                                                                                                                                                                                                                                  • CloseClipboard.USER32 ref: 00BFEB4F
                                                                                                                                                                                                                                                                                                                                                                                  • GlobalLock.KERNEL32(00000000), ref: 00BFEB87
                                                                                                                                                                                                                                                                                                                                                                                  • CloseClipboard.USER32 ref: 00BFEB91
                                                                                                                                                                                                                                                                                                                                                                                  • GlobalUnlock.KERNEL32(00000000), ref: 00BFEBBC
                                                                                                                                                                                                                                                                                                                                                                                  • IsClipboardFormatAvailable.USER32(00000001), ref: 00BFEBC9
                                                                                                                                                                                                                                                                                                                                                                                  • GetClipboardData.USER32(00000001), ref: 00BFEBD1
                                                                                                                                                                                                                                                                                                                                                                                  • GlobalLock.KERNEL32(00000000), ref: 00BFEBE2
                                                                                                                                                                                                                                                                                                                                                                                  • GlobalUnlock.KERNEL32(00000000), ref: 00BFEC22
                                                                                                                                                                                                                                                                                                                                                                                  • IsClipboardFormatAvailable.USER32(0000000F), ref: 00BFEC38
                                                                                                                                                                                                                                                                                                                                                                                  • GetClipboardData.USER32(0000000F), ref: 00BFEC44
                                                                                                                                                                                                                                                                                                                                                                                  • GlobalLock.KERNEL32(00000000), ref: 00BFEC55
                                                                                                                                                                                                                                                                                                                                                                                  • DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 00BFEC77
                                                                                                                                                                                                                                                                                                                                                                                  • DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00BFEC94
                                                                                                                                                                                                                                                                                                                                                                                  • DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00BFECD2
                                                                                                                                                                                                                                                                                                                                                                                  • GlobalUnlock.KERNEL32(00000000), ref: 00BFECF3
                                                                                                                                                                                                                                                                                                                                                                                  • CountClipboardFormats.USER32 ref: 00BFED14
                                                                                                                                                                                                                                                                                                                                                                                  • CloseClipboard.USER32 ref: 00BFED59
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 420908878-0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 497b18bebf5e2d01074e0a7259f30797cb2b842db6a758cc9dc12f1d4e58d3a9
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 370c80fd7c16d90b50771ccb80738a4e6bde1c3ffa7720e3c77763822554f29a
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 497b18bebf5e2d01074e0a7259f30797cb2b842db6a758cc9dc12f1d4e58d3a9
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5661AB34244205AFD300EF24D889F7AB7E4FF85704F1885A9F5A6972B2DB31D909CB62
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BF698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • FindFirstFileW.KERNEL32(?,?), ref: 00BF69BE
                                                                                                                                                                                                                                                                                                                                                                                  • FindClose.KERNEL32(00000000), ref: 00BF6A12
                                                                                                                                                                                                                                                                                                                                                                                  • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00BF6A4E
                                                                                                                                                                                                                                                                                                                                                                                  • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00BF6A75
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00B89CB3: _wcslen.LIBCMT ref: 00B89CBD
                                                                                                                                                                                                                                                                                                                                                                                  • FileTimeToSystemTime.KERNEL32(?,?), ref: 00BF6AB2
                                                                                                                                                                                                                                                                                                                                                                                  • FileTimeToSystemTime.KERNEL32(?,?), ref: 00BF6ADF
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 3830820486-3289030164
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 270eba46da0538b2ad4fba5a875e2950b087afd094e066c37f2912104041122a
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: ae8219b67958ed15f6a76412288a84597d01733f909e2c8f75354c67813fef3b
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 270eba46da0538b2ad4fba5a875e2950b087afd094e066c37f2912104041122a
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C5D14FB2508304AFC710EBA4C881EBBB7ECAF99704F04495DF585D71A1EB74DA48CB62
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BF9642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • FindFirstFileW.KERNEL32(?,?,76F88FB0,?,00000000), ref: 00BF9663
                                                                                                                                                                                                                                                                                                                                                                                  • GetFileAttributesW.KERNEL32(?), ref: 00BF96A1
                                                                                                                                                                                                                                                                                                                                                                                  • SetFileAttributesW.KERNEL32(?,?), ref: 00BF96BB
                                                                                                                                                                                                                                                                                                                                                                                  • FindNextFileW.KERNEL32(00000000,?), ref: 00BF96D3
                                                                                                                                                                                                                                                                                                                                                                                  • FindClose.KERNEL32(00000000), ref: 00BF96DE
                                                                                                                                                                                                                                                                                                                                                                                  • FindFirstFileW.KERNEL32(*.*,?), ref: 00BF96FA
                                                                                                                                                                                                                                                                                                                                                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 00BF974A
                                                                                                                                                                                                                                                                                                                                                                                  • SetCurrentDirectoryW.KERNEL32(00C46B7C), ref: 00BF9768
                                                                                                                                                                                                                                                                                                                                                                                  • FindNextFileW.KERNEL32(00000000,00000010), ref: 00BF9772
                                                                                                                                                                                                                                                                                                                                                                                  • FindClose.KERNEL32(00000000), ref: 00BF977F
                                                                                                                                                                                                                                                                                                                                                                                  • FindClose.KERNEL32(00000000), ref: 00BF978F
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: *.*
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 1409584000-438819550
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: dd5f17eca5a1b922d10f06fdef252cfee6b7236ca58726ddf9750d88dfc8a107
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: ec440c276008e0382e08b2a9f728b89b8b3607940553c887b3d731bd02394adc
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: dd5f17eca5a1b922d10f06fdef252cfee6b7236ca58726ddf9750d88dfc8a107
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E3317E3254021D6BDB24AFB4DC49BEE77ECEF0A321F1081A5FA15E30A0DB74DE488A54
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BF979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • FindFirstFileW.KERNEL32(?,?,76F88FB0,?,00000000), ref: 00BF97BE
                                                                                                                                                                                                                                                                                                                                                                                  • FindNextFileW.KERNEL32(00000000,?), ref: 00BF9819
                                                                                                                                                                                                                                                                                                                                                                                  • FindClose.KERNEL32(00000000), ref: 00BF9824
                                                                                                                                                                                                                                                                                                                                                                                  • FindFirstFileW.KERNEL32(*.*,?), ref: 00BF9840
                                                                                                                                                                                                                                                                                                                                                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 00BF9890
                                                                                                                                                                                                                                                                                                                                                                                  • SetCurrentDirectoryW.KERNEL32(00C46B7C), ref: 00BF98AE
                                                                                                                                                                                                                                                                                                                                                                                  • FindNextFileW.KERNEL32(00000000,00000010), ref: 00BF98B8
                                                                                                                                                                                                                                                                                                                                                                                  • FindClose.KERNEL32(00000000), ref: 00BF98C5
                                                                                                                                                                                                                                                                                                                                                                                  • FindClose.KERNEL32(00000000), ref: 00BF98D5
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BEDAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00BEDB00
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: *.*
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 2640511053-438819550
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 48a5a6086c84751478c2b813706c88b5dd6806e29ad2c1b9fcc2937bfe7823af
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: c45aae4ca9bf85a5e065a236692a81bbe60bb17e997d1600e0eed96163aa13b6
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 48a5a6086c84751478c2b813706c88b5dd6806e29ad2c1b9fcc2937bfe7823af
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7C31753154061D6BDB20AFA4DC48BEE77ECEF473A0F1481E5F914A3190DB71DE898A64
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BED076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00B83AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00B83A97,?,?,00B82E7F,?,?,?,00000000), ref: 00B83AC2
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BEE199: GetFileAttributesW.KERNEL32(?,00BECF95), ref: 00BEE19A
                                                                                                                                                                                                                                                                                                                                                                                  • FindFirstFileW.KERNEL32(?,?), ref: 00BED122
                                                                                                                                                                                                                                                                                                                                                                                  • DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 00BED1DD
                                                                                                                                                                                                                                                                                                                                                                                  • MoveFileW.KERNEL32(?,?), ref: 00BED1F0
                                                                                                                                                                                                                                                                                                                                                                                  • DeleteFileW.KERNEL32(?,?,?,?), ref: 00BED20D
                                                                                                                                                                                                                                                                                                                                                                                  • FindNextFileW.KERNEL32(00000000,00000010), ref: 00BED237
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BED29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,00BED21C,?,?), ref: 00BED2B2
                                                                                                                                                                                                                                                                                                                                                                                  • FindClose.KERNEL32(00000000,?,?,?), ref: 00BED253
                                                                                                                                                                                                                                                                                                                                                                                  • FindClose.KERNEL32(00000000), ref: 00BED264
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: \*.*
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 1946585618-1173974218
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: f0d68c3812aa460a982d50932e45a44d2a730f49eea19eaa9186a0b3519a3871
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: b3bd109d2ddd5c3ae18118f59b7cc9fb34917a2389fd86d29e650f86c191f1fb
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f0d68c3812aa460a982d50932e45a44d2a730f49eea19eaa9186a0b3519a3871
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8B614A3180514DABCF05EBE1CA92AFDB7F5AF15300F2481A5E402771A2EB71AF09DB61
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BFED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 1737998785-0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: dbb3ec3b0f01fd97793c26e316aabf3b821582417db8f84b9190b42de4ac0938
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: ea0a302120e6a39465f857322d8a04ee7317c5a50103ff56de139c4e036218be
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: dbb3ec3b0f01fd97793c26e316aabf3b821582417db8f84b9190b42de4ac0938
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: FA418B35204611AFE320DF15E888B69BBE5FF45318F14C0A9F5698BA72C735EC45CB90
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BEE8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BE16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00BE170D
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BE16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00BE173A
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BE16C3: GetLastError.KERNEL32 ref: 00BE174A
                                                                                                                                                                                                                                                                                                                                                                                  • ExitWindowsEx.USER32(?,00000000), ref: 00BEE932
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: $ $@$SeShutdownPrivilege
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 2234035333-3163812486
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: fe8c86ab97ca7d24e76139c13df42f841fad9f0e9d52eecbada489d2255478a7
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 5b8d10ff55f6acc1a907e673b470e9651ce16b9ba62e01041d8760e06e6091f3
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: fe8c86ab97ca7d24e76139c13df42f841fad9f0e9d52eecbada489d2255478a7
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8A01F276610251ABEB1462BA9CCABBE72DCE714740F1448A1F822E21D3E7B0DC4482A0
                                                                                                                                                                                                                                                                                                                                                                                  Function 00C01204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00C01276
                                                                                                                                                                                                                                                                                                                                                                                  • WSAGetLastError.WSOCK32 ref: 00C01283
                                                                                                                                                                                                                                                                                                                                                                                  • bind.WSOCK32(00000000,?,00000010), ref: 00C012BA
                                                                                                                                                                                                                                                                                                                                                                                  • WSAGetLastError.WSOCK32 ref: 00C012C5
                                                                                                                                                                                                                                                                                                                                                                                  • closesocket.WSOCK32(00000000), ref: 00C012F4
                                                                                                                                                                                                                                                                                                                                                                                  • listen.WSOCK32(00000000,00000005), ref: 00C01303
                                                                                                                                                                                                                                                                                                                                                                                  • WSAGetLastError.WSOCK32 ref: 00C0130D
                                                                                                                                                                                                                                                                                                                                                                                  • closesocket.WSOCK32(00000000), ref: 00C0133C
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: ErrorLast$closesocket$bindlistensocket
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 540024437-0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 2f41539276caf683d8c9b9d4bf14f31a68e1e58aab7ca6376aa60bd0905a01c7
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 48908428f84c8eb63697cfbeca30218c2a0071a06e172d4f1d189ea60b868801
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2f41539276caf683d8c9b9d4bf14f31a68e1e58aab7ca6376aa60bd0905a01c7
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 99416E716001409FD710DF68C4C8B69FBE5BF46318F188198E9669F2E2C771ED85CBA1
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BBB952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • _free.LIBCMT ref: 00BBB9D4
                                                                                                                                                                                                                                                                                                                                                                                  • _free.LIBCMT ref: 00BBB9F8
                                                                                                                                                                                                                                                                                                                                                                                  • _free.LIBCMT ref: 00BBBB7F
                                                                                                                                                                                                                                                                                                                                                                                  • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00C23700), ref: 00BBBB91
                                                                                                                                                                                                                                                                                                                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00C5121C,000000FF,00000000,0000003F,00000000,?,?), ref: 00BBBC09
                                                                                                                                                                                                                                                                                                                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00C51270,000000FF,?,0000003F,00000000,?), ref: 00BBBC36
                                                                                                                                                                                                                                                                                                                                                                                  • _free.LIBCMT ref: 00BBBD4B
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: _free$ByteCharMultiWide$InformationTimeZone
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 314583886-0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 29db0f307fdf80e334142c0ae295b4cecbec8e031c82d98613270281c8d30f8a
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 9f81d1671b90ba83180991df400b7d94da167ad14338df9dfef527e6257dc472
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 29db0f307fdf80e334142c0ae295b4cecbec8e031c82d98613270281c8d30f8a
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2FC1E075904205AFCB249F698C95FFEBBE8EF42310F1841EAE89497251EBF09E41CB50
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BED3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00B83AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00B83A97,?,?,00B82E7F,?,?,?,00000000), ref: 00B83AC2
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BEE199: GetFileAttributesW.KERNEL32(?,00BECF95), ref: 00BEE19A
                                                                                                                                                                                                                                                                                                                                                                                  • FindFirstFileW.KERNEL32(?,?), ref: 00BED420
                                                                                                                                                                                                                                                                                                                                                                                  • DeleteFileW.KERNEL32(?,?,?,?), ref: 00BED470
                                                                                                                                                                                                                                                                                                                                                                                  • FindNextFileW.KERNEL32(00000000,00000010), ref: 00BED481
                                                                                                                                                                                                                                                                                                                                                                                  • FindClose.KERNEL32(00000000), ref: 00BED498
                                                                                                                                                                                                                                                                                                                                                                                  • FindClose.KERNEL32(00000000), ref: 00BED4A1
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: \*.*
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 2649000838-1173974218
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 2d176d1bdb0dc916d3bf3a6be35f03f4b45adcf0b1f43ac89b86861c514cab29
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 24d8dfa9f005c617086e6696690fb3418ede6fcf91328881b1e8048650a53e24
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2d176d1bdb0dc916d3bf3a6be35f03f4b45adcf0b1f43ac89b86861c514cab29
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3B3180310083859BC305FF65C8919AFB7E8BEA2700F444A9DF4D1932A1EB70EA09C763
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BBE4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: __floor_pentium4
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 4168288129-2761157908
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 4f2b5f399dcb8acbcf039c902adcd822f50cfa789ceb7cdd7bdfa59b9999e64c
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 8f2479655f9b7f37a59e830ce968c95a4d63199740aa2d7401a7990d878eeaf8
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4f2b5f399dcb8acbcf039c902adcd822f50cfa789ceb7cdd7bdfa59b9999e64c
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 43C23871E086298FDB25CE289D807FAB7F5EB49304F1441EAD85DE7251E7B4AE818F40
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BF648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • _wcslen.LIBCMT ref: 00BF64DC
                                                                                                                                                                                                                                                                                                                                                                                  • CoInitialize.OLE32(00000000), ref: 00BF6639
                                                                                                                                                                                                                                                                                                                                                                                  • CoCreateInstance.OLE32(00C1FCF8,00000000,00000001,00C1FB68,?), ref: 00BF6650
                                                                                                                                                                                                                                                                                                                                                                                  • CoUninitialize.OLE32 ref: 00BF68D4
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: CreateInitializeInstanceUninitialize_wcslen
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: .lnk
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 886957087-24824748
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 6aa2950cbfa7f968bcf8fd197eaeae050bf62f7a3d9eb8466835b351503eb8b0
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 849479ac2442b4d964cdcba04b3a1650e980d6b4188871a64b59681b4a611004
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6aa2950cbfa7f968bcf8fd197eaeae050bf62f7a3d9eb8466835b351503eb8b0
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: BCD16A71508305AFD304EF24C881A6BB7E9FF95304F1449ADF5959B2A1EB70ED09CBA2
                                                                                                                                                                                                                                                                                                                                                                                  Function 00C022DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • GetForegroundWindow.USER32(?,?,00000000), ref: 00C022E8
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BFE4EC: GetWindowRect.USER32(?,?), ref: 00BFE504
                                                                                                                                                                                                                                                                                                                                                                                  • GetDesktopWindow.USER32 ref: 00C02312
                                                                                                                                                                                                                                                                                                                                                                                  • GetWindowRect.USER32(00000000), ref: 00C02319
                                                                                                                                                                                                                                                                                                                                                                                  • mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00C02355
                                                                                                                                                                                                                                                                                                                                                                                  • GetCursorPos.USER32(?), ref: 00C02381
                                                                                                                                                                                                                                                                                                                                                                                  • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00C023DF
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: Window$Rectmouse_event$CursorDesktopForeground
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 2387181109-0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 842157a95917f213408d0c9b2c568562ac0809cd2b0143fadeb79d478dd9c33c
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 43bd8e7784c4504cc4fcefbbfb4cd7f731b65b959bb861d0e1c55379cf18ebaa
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 842157a95917f213408d0c9b2c568562ac0809cd2b0143fadeb79d478dd9c33c
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F931CD72504315ABC720DF15C849B9BBBEEFF85310F004A19F995A7291DB34EA08CB92
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BF9B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00B89CB3: _wcslen.LIBCMT ref: 00B89CBD
                                                                                                                                                                                                                                                                                                                                                                                  • FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00BF9B78
                                                                                                                                                                                                                                                                                                                                                                                  • FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00BF9C8B
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BF3874: GetInputState.USER32 ref: 00BF38CB
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BF3874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00BF3966
                                                                                                                                                                                                                                                                                                                                                                                  • Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00BF9BA8
                                                                                                                                                                                                                                                                                                                                                                                  • FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00BF9C75
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: *.*
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 1972594611-438819550
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: ea630071326f71f863f1c5e065022e180ece428fab65bdb3e7830b574b973918
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: b4600e3407c64b3c394227bb8bcc195912b4208c986618331926752efcd09a05
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ea630071326f71f863f1c5e065022e180ece428fab65bdb3e7830b574b973918
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1D413C7194420EABCF14EF64C985BEEBBF4EF05310F244195E515A31A1EB319E89CF61
                                                                                                                                                                                                                                                                                                                                                                                  Function 00B9997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00B99BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00B99BB2
                                                                                                                                                                                                                                                                                                                                                                                  • DefDlgProcW.USER32(?,?,?,?,?), ref: 00B99A4E
                                                                                                                                                                                                                                                                                                                                                                                  • GetSysColor.USER32(0000000F), ref: 00B99B23
                                                                                                                                                                                                                                                                                                                                                                                  • SetBkColor.GDI32(?,00000000), ref: 00B99B36
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: Color$LongProcWindow
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 3131106179-0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: bc69b2d71fdec166d89f9528fc29205873b7c318c4036598fbc8ac7ad74add40
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 311c48e738091e35459f8bdb65c03e780e842fa800ed2fc8681f5584ba3ca05d
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: bc69b2d71fdec166d89f9528fc29205873b7c318c4036598fbc8ac7ad74add40
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: FAA11670248504AFEF689A2C8CD8FFF66DDEB47300B1502AEF402D6691EE25DD41E272
                                                                                                                                                                                                                                                                                                                                                                                  Function 00C01806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00C0304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00C0307A
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00C0304E: _wcslen.LIBCMT ref: 00C0309B
                                                                                                                                                                                                                                                                                                                                                                                  • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00C0185D
                                                                                                                                                                                                                                                                                                                                                                                  • WSAGetLastError.WSOCK32 ref: 00C01884
                                                                                                                                                                                                                                                                                                                                                                                  • bind.WSOCK32(00000000,?,00000010), ref: 00C018DB
                                                                                                                                                                                                                                                                                                                                                                                  • WSAGetLastError.WSOCK32 ref: 00C018E6
                                                                                                                                                                                                                                                                                                                                                                                  • closesocket.WSOCK32(00000000), ref: 00C01915
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 1601658205-0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 79730c237e409ce201f141c689b686745ae287701142172562d094d02f6be55b
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: cf7d15fe094c5555bb9a0405615fad255ff53d095fe65b7aebeeefea2e240005
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 79730c237e409ce201f141c689b686745ae287701142172562d094d02f6be55b
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3B518171A40210AFEB10AF24C886F6AB7E5AB45718F18C598FA155F3D3C771AE41CBA1
                                                                                                                                                                                                                                                                                                                                                                                  Function 00C11C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 292994002-0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: a5803d810db384e4b0e52cd405cee6378c49c43e1f6faf535aa2e746dfd2aa06
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: f92e34ca954e48bcf9375f6c6c7edc2ec165a850f8bc778f8464e42357451afe
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a5803d810db384e4b0e52cd405cee6378c49c43e1f6faf535aa2e746dfd2aa06
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4821D3317802109FD7219F2AD894BAA7BE5FF86314B1C8058ED4A8B351CB75DD82EBD0
                                                                                                                                                                                                                                                                                                                                                                                  Function 00B88060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: ERCP$VUUU$VUUU$VUUU$VUUU
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 0-1546025612
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: aefe14524640d84fb85b88c45115387232191ced3d0e63fbf90e97369a78d3a7
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 95d1ee212cba968849409f860721f6fd08d26a8f4c4e622de8118a6c4aa7d2bc
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: aefe14524640d84fb85b88c45115387232191ced3d0e63fbf90e97369a78d3a7
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1BA25E75A0061ACBDF24DF58C980BAEB7F1FF54310F6481E9E815AB295EB709D81CB50
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BEAA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 00BEAAAC
                                                                                                                                                                                                                                                                                                                                                                                  • SetKeyboardState.USER32(00000080), ref: 00BEAAC8
                                                                                                                                                                                                                                                                                                                                                                                  • PostMessageW.USER32(?,00000102,00000001,00000001), ref: 00BEAB36
                                                                                                                                                                                                                                                                                                                                                                                  • SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 00BEAB88
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: KeyboardState$InputMessagePostSend
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 432972143-0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 5501207adfe6034342369f9b0e8046fddccfc1dcafd0ffc7cefb33de07c698d4
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 092a26bf88fbeb1b1db1e981bde493c3460d63512aa4d5d5f33020aaa10aad47
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5501207adfe6034342369f9b0e8046fddccfc1dcafd0ffc7cefb33de07c698d4
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: AA312670A80288AEFB309A76CC45BFA7BEEEF55310F04429AF181961D0D374A985C762
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BFCE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • InternetReadFile.WININET(?,?,00000400,?), ref: 00BFCE89
                                                                                                                                                                                                                                                                                                                                                                                  • GetLastError.KERNEL32(?,00000000), ref: 00BFCEEA
                                                                                                                                                                                                                                                                                                                                                                                  • SetEvent.KERNEL32(?,?,00000000), ref: 00BFCEFE
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: ErrorEventFileInternetLastRead
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 234945975-0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: c7d66af8cb0c1f96a2418b5bca2bbaf7e8941c3136bf5b6255b6657d8e2095fc
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 1d55e09ad1969626f97b752723adbd3c7dd6c196d1039a42ce46cc8895676a18
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c7d66af8cb0c1f96a2418b5bca2bbaf7e8941c3136bf5b6255b6657d8e2095fc
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9D21BD7154030D9BDB20CF65CA88BBABBF8EF51314F10849EE656D3151E770EE888B60
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BE8298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • lstrlenW.KERNEL32(?,?,?,00000000), ref: 00BE82AA
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: lstrlen
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: ($|
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 1659193697-1631851259
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: ab864afb030c180fda77542fd1f12c461e1c89690ac00fb643b471c4aee13e12
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 16a493b3167530656e2d77b256a86fb0d6955a315c4c7abdd47685cc82adca75
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ab864afb030c180fda77542fd1f12c461e1c89690ac00fb643b471c4aee13e12
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: EC323774A00B459FCB28CF59C481A6AB7F1FF48710B15C5AEE49ADB3A1EB70E941CB44
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BF5C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • FindFirstFileW.KERNEL32(?,?), ref: 00BF5CC1
                                                                                                                                                                                                                                                                                                                                                                                  • FindNextFileW.KERNEL32(00000000,?), ref: 00BF5D17
                                                                                                                                                                                                                                                                                                                                                                                  • FindClose.KERNEL32(?), ref: 00BF5D5F
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: Find$File$CloseFirstNext
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 3541575487-0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 4a31e9c09ba76b6895723cc37491ed496b984e1b3066581f50e682c712e2f61a
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 6f9aeb98655feca425673309272dc46f1049c1e67df06b09fea2bc6a070d8f1c
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4a31e9c09ba76b6895723cc37491ed496b984e1b3066581f50e682c712e2f61a
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A9519C746046059FC724DF28C494EAAB7E4FF4A314F1485ADEA5A8B3A1CB30ED48CB91
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BB2622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • IsDebuggerPresent.KERNEL32 ref: 00BB271A
                                                                                                                                                                                                                                                                                                                                                                                  • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00BB2724
                                                                                                                                                                                                                                                                                                                                                                                  • UnhandledExceptionFilter.KERNEL32(?), ref: 00BB2731
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 3906539128-0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 391c102fa191dfa960dea1039a5c15029152e141b6f73856aee4771d9821a4ff
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: a326fe6c95f721a9b74107af60a1c4d510a9924ebccca774db4a1a36a1890c9c
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 391c102fa191dfa960dea1039a5c15029152e141b6f73856aee4771d9821a4ff
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8531C274951218ABCB21DF68DC887DCBBF8BF09310F5041EAE81CA6260EB709F818F44
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BF51CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • SetErrorMode.KERNEL32(00000001), ref: 00BF51DA
                                                                                                                                                                                                                                                                                                                                                                                  • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00BF5238
                                                                                                                                                                                                                                                                                                                                                                                  • SetErrorMode.KERNEL32(00000000), ref: 00BF52A1
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: ErrorMode$DiskFreeSpace
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 1682464887-0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 815544b4c494df49075a5c7b7d893b2d87d0e9f025aa05bde0accaa672a7095b
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: b1b6180cf2bc9dd203d6e7b43dae12cfc9f9d62436d5d1888e546bf0692a6f07
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 815544b4c494df49075a5c7b7d893b2d87d0e9f025aa05bde0accaa672a7095b
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: FF312B75A005189FDB00DF54D884FADBBF4FF49318F198099E905AB362DB31E859CBA0
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BE16C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00B9FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00BA0668
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00B9FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00BA0685
                                                                                                                                                                                                                                                                                                                                                                                  • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00BE170D
                                                                                                                                                                                                                                                                                                                                                                                  • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00BE173A
                                                                                                                                                                                                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00BE174A
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 577356006-0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: a1c0dfd5292ac8f3ff2f678563b6bd4d14604732790a086afc6e0cac6af8c89b
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: dadd36fcd84a7e29976c9852285224db94c134dfe5d23286d4e6cdd5ae6fbc52
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a1c0dfd5292ac8f3ff2f678563b6bd4d14604732790a086afc6e0cac6af8c89b
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5D11BFB2410205AFD7189F54DCC6EAAB7F9FF04724B20C56EF05696241EB70BC418A20
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BED5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00BED608
                                                                                                                                                                                                                                                                                                                                                                                  • DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 00BED645
                                                                                                                                                                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00BED650
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: CloseControlCreateDeviceFileHandle
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 33631002-0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: a856b85e61668950adb38e0018b5f686e1938c8165b08be04eafd4e989e50f4f
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 6f96a9acc978d13c578f7780478ef4d76500a6be7241d8691f182be073c1d2ab
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a856b85e61668950adb38e0018b5f686e1938c8165b08be04eafd4e989e50f4f
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: EB117C71E41228BFDB108F959C84FEFBBBCEB46B60F108151F914E7290C2B04A018BA1
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BE1663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00BE168C
                                                                                                                                                                                                                                                                                                                                                                                  • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00BE16A1
                                                                                                                                                                                                                                                                                                                                                                                  • FreeSid.ADVAPI32(?), ref: 00BE16B1
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 3429775523-0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 96cde1896ae10981661e3c1ee82acee0226fcca7c5d6d103561487330c504f8c
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 8883ebbc44f039f9579c6d963cbf6de1bdfe0e49d542d71e94b2b7338b8d477e
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 96cde1896ae10981661e3c1ee82acee0226fcca7c5d6d103561487330c504f8c
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 95F0F471990309FBDB00DFE4DC89EAEBBBCFB08704F5089A5E501E2181E774AA448A50
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BBC2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: /
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 0-2043925204
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 703ce745cfb7993ddb52d9aac0f4c9dd2b88e11fc9ee3ef851ed4e57946b1c7e
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 48350e4f5d1a86550ceb94234449ed7c09bed78477176c37f7b9910355d66cfb
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 703ce745cfb7993ddb52d9aac0f4c9dd2b88e11fc9ee3ef851ed4e57946b1c7e
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 534128765002196FCB24DFB9CC89EFB7BF8EB84314F5042A9F915D7180E6B09D818B54
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BACAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: dd55d22bc32e473e4f686d4b09a25be674e0ed506175d3e4878c73b63635c3ff
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: DA023D71E042199FDF14CFA9C8806ADFBF1EF49324F2581AAD819E7381D731AE458B94
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BF68EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • FindFirstFileW.KERNEL32(?,?), ref: 00BF6918
                                                                                                                                                                                                                                                                                                                                                                                  • FindClose.KERNEL32(00000000), ref: 00BF6961
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: Find$CloseFileFirst
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 2295610775-0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 3ec73fed1a977729f22df85a157bdb5f580aa1e911baf21654bf82ad6f0467f1
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 4d13b6b30397c9e4e836b6624c186e778d38ec5372157048eca3d8c9b75f06f2
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3ec73fed1a977729f22df85a157bdb5f580aa1e911baf21654bf82ad6f0467f1
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4F1193716042049FD710DF29D4C4A26BBE5FF89328F14C699F9698F6A2C770EC09CB91
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BF37B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00C04891,?,?,00000035,?), ref: 00BF37E4
                                                                                                                                                                                                                                                                                                                                                                                  • FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00C04891,?,?,00000035,?), ref: 00BF37F4
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: ErrorFormatLastMessage
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 3479602957-0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 4711c266480d789f7ed1f70f1e631b69cdf7881efa87e7703abacf9aa6b24a26
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 1b8fb3f7aa54ea62d89bcc5a4b9892c6b0eba0d3636b446d290118e1d9ccfe4b
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4711c266480d789f7ed1f70f1e631b69cdf7881efa87e7703abacf9aa6b24a26
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E8F0EC706042186AD71027655C8DFEB36DDEFC5761F0041A5F505D3291D5709D44C7B1
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BEB226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00BEB25D
                                                                                                                                                                                                                                                                                                                                                                                  • keybd_event.USER32(?,753DC0D0,?,00000000), ref: 00BEB270
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: InputSendkeybd_event
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 3536248340-0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 2e567d102c8f92df74c44b354ec59525ca7a145f5e7dbf41ede3de94e4268b9f
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 8253c1b092f94136d4f41099474930999ced5b0023dad0e678eed0b7befbd88b
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2e567d102c8f92df74c44b354ec59525ca7a145f5e7dbf41ede3de94e4268b9f
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 10F01D7184428DABDB059FA1C845BEE7FB4FF05305F008049F955A5191C37986119F94
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BE10BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00BE11FC), ref: 00BE10D4
                                                                                                                                                                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(?,?,00BE11FC), ref: 00BE10E9
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: AdjustCloseHandlePrivilegesToken
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 81990902-0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 2d40dc9c7451b36e6645702053943e2ec2300f5c111a44c969e941531485b16d
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: d0b429418a0fe1ace3b9a6ac287389d87577583c0b8578cc5d7589d79e5021d6
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2d40dc9c7451b36e6645702053943e2ec2300f5c111a44c969e941531485b16d
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F0E01A32004611AEEB252B11FC05FB777E9EB05320B20C86DB4A5804B1DB62AC909A10
                                                                                                                                                                                                                                                                                                                                                                                  Function 00B8CAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  • Variable is not of type 'Object'., xrefs: 00BD0C40
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: Variable is not of type 'Object'.
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 0-1840281001
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: a7ef50109c803ba79a9558ed0d9c3fc7d5eb319e33f493d0aba8a2b0710181c2
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: dd50a8dd7f8ca74afeff2f01ee41ecac66081c83a347cf210568faf038e845b4
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a7ef50109c803ba79a9558ed0d9c3fc7d5eb319e33f493d0aba8a2b0710181c2
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4F325CB0910218DBDF14EF94D881BEDBBF5FF05304F1440AAE906AB2A2D775AD49CB60
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BB676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00BB6766,?,?,00000008,?,?,00BBFEFE,00000000), ref: 00BB6998
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: ExceptionRaise
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 3997070919-0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 03781d058453137929b6619472f65f6da96ad0836b99774c9960aecf848e91a0
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: f4ae68d81553103a78669d7303b56174b2ad08d4f005709302464c91e44780eb
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 03781d058453137929b6619472f65f6da96ad0836b99774c9960aecf848e91a0
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 91B13D315106089FDB15CF28C486BA57BE0FF45364F258699E8D9CF2A1C779DD91CB40
                                                                                                                                                                                                                                                                                                                                                                                  Function 00B9B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 0-3916222277
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: aa34d6822ac5e8922e342663f150c281c0d01693d1abe77381dccd3064ae6267
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: bd823fd23e9e5e4a492b7d6f76f9db0202f151a3e04fb54e5632ad2036d1e8e6
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: aa34d6822ac5e8922e342663f150c281c0d01693d1abe77381dccd3064ae6267
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 01125E759002299BCF14CF58D981AEEB7F5FF48710F1481AAE849EB351EB309A81DF94
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BFEAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • BlockInput.USER32(00000001), ref: 00BFEABD
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: BlockInput
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 3456056419-0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 6f1413d66e1e82a1ac8a72d1902e73e888a962ad5b92d62a89fc75ebe6413ae5
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 2177dfb4eb7ad75881da029b70ff8fee84c44be02a777706f54163be6ba39b0f
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6f1413d66e1e82a1ac8a72d1902e73e888a962ad5b92d62a89fc75ebe6413ae5
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7AE01A712102049FD710EF69D844EAABBE9BF99760F00845AFD59C7261DA70E8448BA0
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BA09D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,00BA03EE), ref: 00BA09DA
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: ExceptionFilterUnhandled
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 3192549508-0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 78e564796300c5020f9bffa956e7b88bf6c97bc27dda70c56c50c14b4e1a63e6
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 075a9012f3473440775b59627f515298b0f977bf2b9ff168aae56bc83276eb32
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 78e564796300c5020f9bffa956e7b88bf6c97bc27dda70c56c50c14b4e1a63e6
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BA781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: 0
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 0-4108050209
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 64e811724624c58afc89cb24acbab045782328afe114c0f2ee75b9c9c1849f24
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 745166726CC6056BDB38852A8C9EBBF23C9DB03300F1805DAD886D7682CE19DE05D356
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BB6DD9 Relevance: .6, Instructions: 637COMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 3db04199a3291d9b60724f343021424fde4cc3e7c2a9529f9d6c3d2d4c0a9e17
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: c08f130e9c8385c1aa9eb300c6d1010242c25e2f78cac59838a7ac1277aa0f56
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3db04199a3291d9b60724f343021424fde4cc3e7c2a9529f9d6c3d2d4c0a9e17
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 57320222D69F014ED7339634CC6233AA289AFB73C5F15D727E81AB5EA5EF69C4834100
                                                                                                                                                                                                                                                                                                                                                                                  Function 00B9CC39 Relevance: .6, Instructions: 635COMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 0c0958b82a5c7b82c7290a160cdc356fcf54c3c633b746c429b59a56ef470a4f
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 4578bcad25cc64c71a85282d87ce079896e7195b3dd308e68587f26ace566543
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0c0958b82a5c7b82c7290a160cdc356fcf54c3c633b746c429b59a56ef470a4f
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9532CF31A4415A8BDF28CA68C4D467DFFF1EB45300F2885FBD45A9B396E630DD81DA81
                                                                                                                                                                                                                                                                                                                                                                                  Function 00B87920 Relevance: .6, Instructions: 563COMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 4f8ddb28b0b46ea34e524d2a27ce2a2322436d77b26cbcf414dda27e30bfe808
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 5433d005ef5f9e9de52312ae2d5dc11f762a5584aedf268d8435a2a73447be05
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4f8ddb28b0b46ea34e524d2a27ce2a2322436d77b26cbcf414dda27e30bfe808
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: CC22A070A0460ADFDF14DF64C881BAEB7F6FF48304F2445A9E816A72A1EB35E951CB50
                                                                                                                                                                                                                                                                                                                                                                                  Function 00B891C0 Relevance: .5, Instructions: 475COMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 9115fb1d4aca9b1c581f3f10474194dcca408c29492b617ad248fa1357550a88
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: b05991ca0a2bc27e639cefe7b96f8536364de1704e631f4d3358734bf791fd90
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9115fb1d4aca9b1c581f3f10474194dcca408c29492b617ad248fa1357550a88
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: BA0282B1A0020AEBDF04DF54D881BAEB7F1FF44310F1481A9E816DB291EB31EA51CB95
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BA1C77 Relevance: .3, Instructions: 254COMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 482b641406d5308d813c21cac0dfb2ad8c214843d4c617f0e92e7c4cba6f3130
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4691557210D0A34ADBA9463E857403EFFE1DA533A1B1A0FEED4F2CA1C5FE248955D620
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BA19B0 Relevance: .2, Instructions: 240COMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 0789c3fa1b6828680e648282489a884072d138f7f9a2f5a910bcf3b838dfcea8
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0E91337220D0A34ADBAD467E857403EFFE19A933A2B1A0BDED4F2CA1C1FD248555D620
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BA7A4A Relevance: .2, Instructions: 237COMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: d75716e124f4888f7965077614277ee4e2d7e0e9cb8c3cc6179106b80630a0e5
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: fb1895d310bb18bb3b86e99888be51381efef5e3ee4f82793490d5ac37065217
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d75716e124f4888f7965077614277ee4e2d7e0e9cb8c3cc6179106b80630a0e5
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4C6157B16CC70966DA349A288DB5BBF23D8DF47710F9409DAE843DB281EE119E428365
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BA7CA7 Relevance: .2, Instructions: 237COMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: cef4f37f14ee69128ead86f987bff4e814972b2c9cf1014810e46028ed8fb4c7
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 8f0b999094f668e753d07ffcbd998d62c82c6b6f4c0a11432f0aeb382398ca8c
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: cef4f37f14ee69128ead86f987bff4e814972b2c9cf1014810e46028ed8fb4c7
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3D616BB16CC70967DE389A284C95BBF23D8DF43700F1409FAE9C3DB681EE129D428255
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BA1706 Relevance: .2, Instructions: 232COMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 9bf13d87c45f910eacfecdcf96048238f4628c9bf76d2301eb50c51819132b7e
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: DF81667260D0A30DDBAD863D857443EFFE19A933A1B1A0BDDD4F2CA1C1EE24C955D620
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BF2046 Relevance: .1, Instructions: 72COMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 0ac5b0d53c906efe45d5604f5271862f09977851fa2fe5d7089c8950e9ff786b
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 630579cad519ce001c08fb321bbfa3d94a850c2bfbe793838838c58043adb293
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0ac5b0d53c906efe45d5604f5271862f09977851fa2fe5d7089c8950e9ff786b
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: DE21A5326206158BDB28CF79C82277E73E5A764310F15866EE4A7D37D0DE39A944CB80
                                                                                                                                                                                                                                                                                                                                                                                  Function 00C02ADE Relevance: 79.2, APIs: 40, Strings: 5, Instructions: 486filecommemoryCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • DeleteObject.GDI32(00000000), ref: 00C02B30
                                                                                                                                                                                                                                                                                                                                                                                  • DeleteObject.GDI32(00000000), ref: 00C02B43
                                                                                                                                                                                                                                                                                                                                                                                  • DestroyWindow.USER32 ref: 00C02B52
                                                                                                                                                                                                                                                                                                                                                                                  • GetDesktopWindow.USER32 ref: 00C02B6D
                                                                                                                                                                                                                                                                                                                                                                                  • GetWindowRect.USER32(00000000), ref: 00C02B74
                                                                                                                                                                                                                                                                                                                                                                                  • SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00C02CA3
                                                                                                                                                                                                                                                                                                                                                                                  • AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00C02CB1
                                                                                                                                                                                                                                                                                                                                                                                  • CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C02CF8
                                                                                                                                                                                                                                                                                                                                                                                  • GetClientRect.USER32(00000000,?), ref: 00C02D04
                                                                                                                                                                                                                                                                                                                                                                                  • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00C02D40
                                                                                                                                                                                                                                                                                                                                                                                  • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C02D62
                                                                                                                                                                                                                                                                                                                                                                                  • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C02D75
                                                                                                                                                                                                                                                                                                                                                                                  • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C02D80
                                                                                                                                                                                                                                                                                                                                                                                  • GlobalLock.KERNEL32(00000000), ref: 00C02D89
                                                                                                                                                                                                                                                                                                                                                                                  • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C02D98
                                                                                                                                                                                                                                                                                                                                                                                  • GlobalUnlock.KERNEL32(00000000), ref: 00C02DA1
                                                                                                                                                                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C02DA8
                                                                                                                                                                                                                                                                                                                                                                                  • GlobalFree.KERNEL32(00000000), ref: 00C02DB3
                                                                                                                                                                                                                                                                                                                                                                                  • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C02DC5
                                                                                                                                                                                                                                                                                                                                                                                  • OleLoadPicture.OLEAUT32(?,00000000,00000000,00C1FC38,00000000), ref: 00C02DDB
                                                                                                                                                                                                                                                                                                                                                                                  • GlobalFree.KERNEL32(00000000), ref: 00C02DEB
                                                                                                                                                                                                                                                                                                                                                                                  • CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00C02E11
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00C02E30
                                                                                                                                                                                                                                                                                                                                                                                  • SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C02E52
                                                                                                                                                                                                                                                                                                                                                                                  • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C0303F
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: $@U=u$AutoIt v3$DISPLAY$static
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 2211948467-3613752883
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 5a72b856568a0619b748f574a1987f4243a6a6936b5791fae7321140428e8b1f
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 9015183d68e28564cb775ac3de609a5c31d76b6f765a2f3f44ae783db2e84aa6
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5a72b856568a0619b748f574a1987f4243a6a6936b5791fae7321140428e8b1f
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7E028A75A40215AFDB14DFA4CC89FAE7BB9FB4A710F148158F915AB2A1CB70ED01CB60
                                                                                                                                                                                                                                                                                                                                                                                  Function 00C170D5 Relevance: 59.8, APIs: 33, Strings: 1, Instructions: 273COMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • SetTextColor.GDI32(?,00000000), ref: 00C1712F
                                                                                                                                                                                                                                                                                                                                                                                  • GetSysColorBrush.USER32(0000000F), ref: 00C17160
                                                                                                                                                                                                                                                                                                                                                                                  • GetSysColor.USER32(0000000F), ref: 00C1716C
                                                                                                                                                                                                                                                                                                                                                                                  • SetBkColor.GDI32(?,000000FF), ref: 00C17186
                                                                                                                                                                                                                                                                                                                                                                                  • SelectObject.GDI32(?,?), ref: 00C17195
                                                                                                                                                                                                                                                                                                                                                                                  • InflateRect.USER32(?,000000FF,000000FF), ref: 00C171C0
                                                                                                                                                                                                                                                                                                                                                                                  • GetSysColor.USER32(00000010), ref: 00C171C8
                                                                                                                                                                                                                                                                                                                                                                                  • CreateSolidBrush.GDI32(00000000), ref: 00C171CF
                                                                                                                                                                                                                                                                                                                                                                                  • FrameRect.USER32(?,?,00000000), ref: 00C171DE
                                                                                                                                                                                                                                                                                                                                                                                  • DeleteObject.GDI32(00000000), ref: 00C171E5
                                                                                                                                                                                                                                                                                                                                                                                  • InflateRect.USER32(?,000000FE,000000FE), ref: 00C17230
                                                                                                                                                                                                                                                                                                                                                                                  • FillRect.USER32(?,?,?), ref: 00C17262
                                                                                                                                                                                                                                                                                                                                                                                  • GetWindowLongW.USER32(?,000000F0), ref: 00C17284
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00C173E8: GetSysColor.USER32(00000012), ref: 00C17421
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00C173E8: SetTextColor.GDI32(?,?), ref: 00C17425
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00C173E8: GetSysColorBrush.USER32(0000000F), ref: 00C1743B
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00C173E8: GetSysColor.USER32(0000000F), ref: 00C17446
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00C173E8: GetSysColor.USER32(00000011), ref: 00C17463
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00C173E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00C17471
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00C173E8: SelectObject.GDI32(?,00000000), ref: 00C17482
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00C173E8: SetBkColor.GDI32(?,00000000), ref: 00C1748B
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00C173E8: SelectObject.GDI32(?,?), ref: 00C17498
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00C173E8: InflateRect.USER32(?,000000FF,000000FF), ref: 00C174B7
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00C173E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00C174CE
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00C173E8: GetWindowLongW.USER32(00000000,000000F0), ref: 00C174DB
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: @U=u
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 4124339563-2594219639
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 7d587ab919df7977da7f91371fdac1640961be1b05e6ba61781c682d7c045d64
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: b5fe988cd9012c17e22ab6f79931ca8d52d6b8bc778ac3942ac16dd45bbdd9c1
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7d587ab919df7977da7f91371fdac1640961be1b05e6ba61781c682d7c045d64
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: FAA17E72048301FFDB019F64DC88BAE7BB9FB4A320F204B19F962961A1D771E9859B51
                                                                                                                                                                                                                                                                                                                                                                                  Function 00B98D85 Relevance: 49.5, APIs: 26, Strings: 2, Instructions: 480windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • DestroyWindow.USER32(?,?), ref: 00B98E14
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00001308,?,00000000), ref: 00BD6AC5
                                                                                                                                                                                                                                                                                                                                                                                  • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00BD6AFE
                                                                                                                                                                                                                                                                                                                                                                                  • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00BD6F43
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00B98F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00B98BE8,?,00000000,?,?,?,?,00B98BBA,00000000,?), ref: 00B98FC5
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00001053), ref: 00BD6F7F
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00BD6F96
                                                                                                                                                                                                                                                                                                                                                                                  • ImageList_Destroy.COMCTL32(00000000,?), ref: 00BD6FAC
                                                                                                                                                                                                                                                                                                                                                                                  • ImageList_Destroy.COMCTL32(00000000,?), ref: 00BD6FB7
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: 0$@U=u
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 2760611726-975001249
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: fe226f00f6ea05929a646c9b608c852f2503c7cf79d2d9f04e15f51e88fad83a
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: e2718ae2f22415616ac470dc6fccc601f161eefbf4a64cfb585ed152b2aa8ba2
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: fe226f00f6ea05929a646c9b608c852f2503c7cf79d2d9f04e15f51e88fad83a
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8812BD34600601DFDB25CF24D898BA9BBE1FB46310F1884AAF495DB261DB31EC91DB91
                                                                                                                                                                                                                                                                                                                                                                                  Function 00C02711 Relevance: 47.6, APIs: 22, Strings: 5, Instructions: 330windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • DestroyWindow.USER32(00000000), ref: 00C0273E
                                                                                                                                                                                                                                                                                                                                                                                  • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00C0286A
                                                                                                                                                                                                                                                                                                                                                                                  • SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 00C028A9
                                                                                                                                                                                                                                                                                                                                                                                  • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00C028B9
                                                                                                                                                                                                                                                                                                                                                                                  • CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00C02900
                                                                                                                                                                                                                                                                                                                                                                                  • GetClientRect.USER32(00000000,?), ref: 00C0290C
                                                                                                                                                                                                                                                                                                                                                                                  • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00C02955
                                                                                                                                                                                                                                                                                                                                                                                  • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00C02964
                                                                                                                                                                                                                                                                                                                                                                                  • GetStockObject.GDI32(00000011), ref: 00C02974
                                                                                                                                                                                                                                                                                                                                                                                  • SelectObject.GDI32(00000000,00000000), ref: 00C02978
                                                                                                                                                                                                                                                                                                                                                                                  • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00C02988
                                                                                                                                                                                                                                                                                                                                                                                  • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00C02991
                                                                                                                                                                                                                                                                                                                                                                                  • DeleteDC.GDI32(00000000), ref: 00C0299A
                                                                                                                                                                                                                                                                                                                                                                                  • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00C029C6
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(00000030,00000000,00000001), ref: 00C029DD
                                                                                                                                                                                                                                                                                                                                                                                  • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00C02A1D
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00C02A31
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(00000404,00000001,00000000), ref: 00C02A42
                                                                                                                                                                                                                                                                                                                                                                                  • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00C02A77
                                                                                                                                                                                                                                                                                                                                                                                  • GetStockObject.GDI32(00000011), ref: 00C02A82
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00C02A8D
                                                                                                                                                                                                                                                                                                                                                                                  • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00C02A97
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: @U=u$AutoIt v3$DISPLAY$msctls_progress32$static
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 2910397461-2771358697
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 7ad7902b4dfb77b77220322b89367aa4f77bdc54cc0e370e0bdcd8c954161adf
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 8c2ecdb7763736e7230348166859b59841c50b7fe44542e46e47b869cf6fca79
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7ad7902b4dfb77b77220322b89367aa4f77bdc54cc0e370e0bdcd8c954161adf
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0BB14A75A40215AFEB14DFA8CC89FAE7BA9FB09711F108154F915E72E0DB70AD40CBA0
                                                                                                                                                                                                                                                                                                                                                                                  Function 00C173E8 Relevance: 47.5, APIs: 26, Strings: 1, Instructions: 201windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • GetSysColor.USER32(00000012), ref: 00C17421
                                                                                                                                                                                                                                                                                                                                                                                  • SetTextColor.GDI32(?,?), ref: 00C17425
                                                                                                                                                                                                                                                                                                                                                                                  • GetSysColorBrush.USER32(0000000F), ref: 00C1743B
                                                                                                                                                                                                                                                                                                                                                                                  • GetSysColor.USER32(0000000F), ref: 00C17446
                                                                                                                                                                                                                                                                                                                                                                                  • CreateSolidBrush.GDI32(?), ref: 00C1744B
                                                                                                                                                                                                                                                                                                                                                                                  • GetSysColor.USER32(00000011), ref: 00C17463
                                                                                                                                                                                                                                                                                                                                                                                  • CreatePen.GDI32(00000000,00000001,00743C00), ref: 00C17471
                                                                                                                                                                                                                                                                                                                                                                                  • SelectObject.GDI32(?,00000000), ref: 00C17482
                                                                                                                                                                                                                                                                                                                                                                                  • SetBkColor.GDI32(?,00000000), ref: 00C1748B
                                                                                                                                                                                                                                                                                                                                                                                  • SelectObject.GDI32(?,?), ref: 00C17498
                                                                                                                                                                                                                                                                                                                                                                                  • InflateRect.USER32(?,000000FF,000000FF), ref: 00C174B7
                                                                                                                                                                                                                                                                                                                                                                                  • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00C174CE
                                                                                                                                                                                                                                                                                                                                                                                  • GetWindowLongW.USER32(00000000,000000F0), ref: 00C174DB
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00C1752A
                                                                                                                                                                                                                                                                                                                                                                                  • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00C17554
                                                                                                                                                                                                                                                                                                                                                                                  • InflateRect.USER32(?,000000FD,000000FD), ref: 00C17572
                                                                                                                                                                                                                                                                                                                                                                                  • DrawFocusRect.USER32(?,?), ref: 00C1757D
                                                                                                                                                                                                                                                                                                                                                                                  • GetSysColor.USER32(00000011), ref: 00C1758E
                                                                                                                                                                                                                                                                                                                                                                                  • SetTextColor.GDI32(?,00000000), ref: 00C17596
                                                                                                                                                                                                                                                                                                                                                                                  • DrawTextW.USER32(?,00C170F5,000000FF,?,00000000), ref: 00C175A8
                                                                                                                                                                                                                                                                                                                                                                                  • SelectObject.GDI32(?,?), ref: 00C175BF
                                                                                                                                                                                                                                                                                                                                                                                  • DeleteObject.GDI32(?), ref: 00C175CA
                                                                                                                                                                                                                                                                                                                                                                                  • SelectObject.GDI32(?,?), ref: 00C175D0
                                                                                                                                                                                                                                                                                                                                                                                  • DeleteObject.GDI32(?), ref: 00C175D5
                                                                                                                                                                                                                                                                                                                                                                                  • SetTextColor.GDI32(?,?), ref: 00C175DB
                                                                                                                                                                                                                                                                                                                                                                                  • SetBkColor.GDI32(?,?), ref: 00C175E5
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: @U=u
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 1996641542-2594219639
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: e667b6ff378e7b1de19b7a9eadc001385dc0e4b312d2e429b0c6460fb3e393f8
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: f1eb5be6f001d6a0454b3a0e43868a23e39a5e8df6ec03982cdb7f279872b1e3
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e667b6ff378e7b1de19b7a9eadc001385dc0e4b312d2e429b0c6460fb3e393f8
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: ED613071944218BFDB019FA4DC49BEE7B79FB0A320F218115F915A72A1D67499409F90
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BF4ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • SetErrorMode.KERNEL32(00000001), ref: 00BF4AED
                                                                                                                                                                                                                                                                                                                                                                                  • GetDriveTypeW.KERNEL32(?,00C1CB68,?,\\.\,00C1CC08), ref: 00BF4BCA
                                                                                                                                                                                                                                                                                                                                                                                  • SetErrorMode.KERNEL32(00000000,00C1CB68,?,\\.\,00C1CC08), ref: 00BF4D36
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: ErrorMode$DriveType
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 2907320926-4222207086
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: b32e21d2d4d73b45982c8596762f8bf33795f89f41c13c8d4e1569f148b5d4ab
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: f9275ef8fa0fb58a17575ff7fafa14c1d5af53a6a69e14365ca67d216d3801c5
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b32e21d2d4d73b45982c8596762f8bf33795f89f41c13c8d4e1569f148b5d4ab
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7361D330A4120D9BCB04DF24CAC19BE77F0FB46710B2490E5F906AB6A6CB31DD49DB52
                                                                                                                                                                                                                                                                                                                                                                                  Function 00C10241 Relevance: 37.1, APIs: 7, Strings: 14, Instructions: 391windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • CharUpperBuffW.USER32(?,?), ref: 00C102E5
                                                                                                                                                                                                                                                                                                                                                                                  • _wcslen.LIBCMT ref: 00C1031F
                                                                                                                                                                                                                                                                                                                                                                                  • _wcslen.LIBCMT ref: 00C10389
                                                                                                                                                                                                                                                                                                                                                                                  • _wcslen.LIBCMT ref: 00C103F1
                                                                                                                                                                                                                                                                                                                                                                                  • _wcslen.LIBCMT ref: 00C10475
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00C104C5
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00C10504
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00B9F9F2: _wcslen.LIBCMT ref: 00B9F9FD
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BE223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00BE2258
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BE223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00BE228A
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: _wcslen$MessageSend$BuffCharUpper
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: @U=u$DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 1103490817-1753161424
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 656233df36da65256d2c445aee6a412b5abab10badb248d28ec26a35bf76f5c9
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: fed4ad69472a072a8e8777ce55a9ff296f740090e3f88296fc6c682ba7ec7b2d
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 656233df36da65256d2c445aee6a412b5abab10badb248d28ec26a35bf76f5c9
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B2E1D5312182018FCB14DF24C4918BAB7E5BFD9714B6449ACF8A69B3A1DB70EEC5DB41
                                                                                                                                                                                                                                                                                                                                                                                  Function 00C10FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • GetCursorPos.USER32(?), ref: 00C11128
                                                                                                                                                                                                                                                                                                                                                                                  • GetDesktopWindow.USER32 ref: 00C1113D
                                                                                                                                                                                                                                                                                                                                                                                  • GetWindowRect.USER32(00000000), ref: 00C11144
                                                                                                                                                                                                                                                                                                                                                                                  • GetWindowLongW.USER32(?,000000F0), ref: 00C11199
                                                                                                                                                                                                                                                                                                                                                                                  • DestroyWindow.USER32(?), ref: 00C111B9
                                                                                                                                                                                                                                                                                                                                                                                  • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00C111ED
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00C1120B
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00C1121D
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(00000000,00000421,?,?), ref: 00C11232
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00C11245
                                                                                                                                                                                                                                                                                                                                                                                  • IsWindowVisible.USER32(00000000), ref: 00C112A1
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 00C112BC
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 00C112D0
                                                                                                                                                                                                                                                                                                                                                                                  • GetWindowRect.USER32(00000000,?), ref: 00C112E8
                                                                                                                                                                                                                                                                                                                                                                                  • MonitorFromPoint.USER32(?,?,00000002), ref: 00C1130E
                                                                                                                                                                                                                                                                                                                                                                                  • GetMonitorInfoW.USER32(00000000,?), ref: 00C11328
                                                                                                                                                                                                                                                                                                                                                                                  • CopyRect.USER32(?,?), ref: 00C1133F
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(00000000,00000412,00000000), ref: 00C113AA
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: ($0$tooltips_class32
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 698492251-4156429822
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: b5ddd59a34cf8b7d5f190707226152c02db6d08d22cbf6ede1a1521924fbe3b1
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: d7237ac5f042391db82f4ca0d6f22692bee15519aa494a4a76fd076081f9fb43
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b5ddd59a34cf8b7d5f190707226152c02db6d08d22cbf6ede1a1521924fbe3b1
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 71B1AF71604341AFD700DF64C884BAEBBE4FF8A350F04895CFA999B2A1C735E985DB91
                                                                                                                                                                                                                                                                                                                                                                                  Function 00B98891 Relevance: 35.3, APIs: 18, Strings: 2, Instructions: 282windowtimeCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00B98968
                                                                                                                                                                                                                                                                                                                                                                                  • GetSystemMetrics.USER32(00000007), ref: 00B98970
                                                                                                                                                                                                                                                                                                                                                                                  • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00B9899B
                                                                                                                                                                                                                                                                                                                                                                                  • GetSystemMetrics.USER32(00000008), ref: 00B989A3
                                                                                                                                                                                                                                                                                                                                                                                  • GetSystemMetrics.USER32(00000004), ref: 00B989C8
                                                                                                                                                                                                                                                                                                                                                                                  • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00B989E5
                                                                                                                                                                                                                                                                                                                                                                                  • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00B989F5
                                                                                                                                                                                                                                                                                                                                                                                  • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00B98A28
                                                                                                                                                                                                                                                                                                                                                                                  • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00B98A3C
                                                                                                                                                                                                                                                                                                                                                                                  • GetClientRect.USER32(00000000,000000FF), ref: 00B98A5A
                                                                                                                                                                                                                                                                                                                                                                                  • GetStockObject.GDI32(00000011), ref: 00B98A76
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(00000000,00000030,00000000), ref: 00B98A81
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00B9912D: GetCursorPos.USER32(?), ref: 00B99141
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00B9912D: ScreenToClient.USER32(00000000,?), ref: 00B9915E
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00B9912D: GetAsyncKeyState.USER32(00000001), ref: 00B99183
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00B9912D: GetAsyncKeyState.USER32(00000002), ref: 00B9919D
                                                                                                                                                                                                                                                                                                                                                                                  • SetTimer.USER32(00000000,00000000,00000028,00B990FC), ref: 00B98AA8
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: @U=u$AutoIt v3 GUI
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 1458621304-2077007950
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 1fd45c27deeb8eeefc17a95023b35e64cee04e64d6272fc27441c3cea069a375
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 3fb60612825ba995cd0627e6f2860f85e2738952de7e72727385fa12bf1587d3
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1fd45c27deeb8eeefc17a95023b35e64cee04e64d6272fc27441c3cea069a375
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: CFB16B75A402099FDF14DFA8C889BEE7BF5FB49315F14826AFA15A7290DB34A840CB50
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BE5A1B Relevance: 33.4, APIs: 18, Strings: 1, Instructions: 198windowtimeCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • LoadIconW.USER32(00000063), ref: 00BE5A2E
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00BE5A40
                                                                                                                                                                                                                                                                                                                                                                                  • SetWindowTextW.USER32(?,?), ref: 00BE5A57
                                                                                                                                                                                                                                                                                                                                                                                  • GetDlgItem.USER32(?,000003EA), ref: 00BE5A6C
                                                                                                                                                                                                                                                                                                                                                                                  • SetWindowTextW.USER32(00000000,?), ref: 00BE5A72
                                                                                                                                                                                                                                                                                                                                                                                  • GetDlgItem.USER32(?,000003E9), ref: 00BE5A82
                                                                                                                                                                                                                                                                                                                                                                                  • SetWindowTextW.USER32(00000000,?), ref: 00BE5A88
                                                                                                                                                                                                                                                                                                                                                                                  • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00BE5AA9
                                                                                                                                                                                                                                                                                                                                                                                  • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00BE5AC3
                                                                                                                                                                                                                                                                                                                                                                                  • GetWindowRect.USER32(?,?), ref: 00BE5ACC
                                                                                                                                                                                                                                                                                                                                                                                  • _wcslen.LIBCMT ref: 00BE5B33
                                                                                                                                                                                                                                                                                                                                                                                  • SetWindowTextW.USER32(?,?), ref: 00BE5B6F
                                                                                                                                                                                                                                                                                                                                                                                  • GetDesktopWindow.USER32 ref: 00BE5B75
                                                                                                                                                                                                                                                                                                                                                                                  • GetWindowRect.USER32(00000000), ref: 00BE5B7C
                                                                                                                                                                                                                                                                                                                                                                                  • MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00BE5BD3
                                                                                                                                                                                                                                                                                                                                                                                  • GetClientRect.USER32(?,?), ref: 00BE5BE0
                                                                                                                                                                                                                                                                                                                                                                                  • PostMessageW.USER32(?,00000005,00000000,?), ref: 00BE5C05
                                                                                                                                                                                                                                                                                                                                                                                  • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00BE5C2F
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: @U=u
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 895679908-2594219639
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 9746b9377f5ff8ec4124d0be22cc8c145b20200a6ea96d1c01ac325728a75be8
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 54bcbf0a90149fa6bc5be29dc5e8309861c012249678d48e803c5423bb435310
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9746b9377f5ff8ec4124d0be22cc8c145b20200a6ea96d1c01ac325728a75be8
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: BA715A31900B49AFDB20DFA9CE85BAEBBF5FF48708F104668F542A25A0D775E944CB50
                                                                                                                                                                                                                                                                                                                                                                                  Function 00C1091E Relevance: 31.9, APIs: 6, Strings: 12, Instructions: 372windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • CharUpperBuffW.USER32(?,?), ref: 00C109C6
                                                                                                                                                                                                                                                                                                                                                                                  • _wcslen.LIBCMT ref: 00C10A01
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00C10A54
                                                                                                                                                                                                                                                                                                                                                                                  • _wcslen.LIBCMT ref: 00C10A8A
                                                                                                                                                                                                                                                                                                                                                                                  • _wcslen.LIBCMT ref: 00C10B06
                                                                                                                                                                                                                                                                                                                                                                                  • _wcslen.LIBCMT ref: 00C10B81
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00B9F9F2: _wcslen.LIBCMT ref: 00B9F9FD
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BE2BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00BE2BFA
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: _wcslen$MessageSend$BuffCharUpper
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: @U=u$CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 1103490817-383632319
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 7c5202385993592ca22f0dd7ba2006a8091b45680109be2125801990cf8b29ba
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: b3d25c7de157db4c4295618c1ba11dece1ec1ee17d33efee54fc67482e724869
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7c5202385993592ca22f0dd7ba2006a8091b45680109be2125801990cf8b29ba
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7CE1A1312083018FCB14EF25C4509AAB7E1FF99314F24899CF8A69B362D770EE85DB91
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BE0D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BE10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00BE1114
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BE10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00BE0B9B,?,?,?), ref: 00BE1120
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BE10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00BE0B9B,?,?,?), ref: 00BE112F
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BE10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00BE0B9B,?,?,?), ref: 00BE1136
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BE10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00BE114D
                                                                                                                                                                                                                                                                                                                                                                                  • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00BE0DF5
                                                                                                                                                                                                                                                                                                                                                                                  • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00BE0E29
                                                                                                                                                                                                                                                                                                                                                                                  • GetLengthSid.ADVAPI32(?), ref: 00BE0E40
                                                                                                                                                                                                                                                                                                                                                                                  • GetAce.ADVAPI32(?,00000000,?), ref: 00BE0E7A
                                                                                                                                                                                                                                                                                                                                                                                  • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00BE0E96
                                                                                                                                                                                                                                                                                                                                                                                  • GetLengthSid.ADVAPI32(?), ref: 00BE0EAD
                                                                                                                                                                                                                                                                                                                                                                                  • GetProcessHeap.KERNEL32(00000008,00000008), ref: 00BE0EB5
                                                                                                                                                                                                                                                                                                                                                                                  • HeapAlloc.KERNEL32(00000000), ref: 00BE0EBC
                                                                                                                                                                                                                                                                                                                                                                                  • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00BE0EDD
                                                                                                                                                                                                                                                                                                                                                                                  • CopySid.ADVAPI32(00000000), ref: 00BE0EE4
                                                                                                                                                                                                                                                                                                                                                                                  • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00BE0F13
                                                                                                                                                                                                                                                                                                                                                                                  • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00BE0F35
                                                                                                                                                                                                                                                                                                                                                                                  • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00BE0F47
                                                                                                                                                                                                                                                                                                                                                                                  • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00BE0F6E
                                                                                                                                                                                                                                                                                                                                                                                  • HeapFree.KERNEL32(00000000), ref: 00BE0F75
                                                                                                                                                                                                                                                                                                                                                                                  • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00BE0F7E
                                                                                                                                                                                                                                                                                                                                                                                  • HeapFree.KERNEL32(00000000), ref: 00BE0F85
                                                                                                                                                                                                                                                                                                                                                                                  • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00BE0F8E
                                                                                                                                                                                                                                                                                                                                                                                  • HeapFree.KERNEL32(00000000), ref: 00BE0F95
                                                                                                                                                                                                                                                                                                                                                                                  • GetProcessHeap.KERNEL32(00000000,?), ref: 00BE0FA1
                                                                                                                                                                                                                                                                                                                                                                                  • HeapFree.KERNEL32(00000000), ref: 00BE0FA8
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BE1193: GetProcessHeap.KERNEL32(00000008,00BE0BB1,?,00000000,?,00BE0BB1,?), ref: 00BE11A1
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BE1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00BE0BB1,?), ref: 00BE11A8
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BE1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00BE0BB1,?), ref: 00BE11B7
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 4175595110-0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 59588aac265d269b77fd5b10e3dc7757d67e1b50dadab1f6c336eebc35fa8404
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: ebc083963247bf44f810b5be2fe3588160871cccd48d7a5d9bf8aed89bc5cb99
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 59588aac265d269b77fd5b10e3dc7757d67e1b50dadab1f6c336eebc35fa8404
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 05718C7294024AEBDF20AFA5DC44FEEBBB8FF09300F148155F919A6191D7709D55CBA0
                                                                                                                                                                                                                                                                                                                                                                                  Function 00C1833C Relevance: 31.7, APIs: 14, Strings: 4, Instructions: 196windowlibraryCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • _wcslen.LIBCMT ref: 00C1835A
                                                                                                                                                                                                                                                                                                                                                                                  • _wcslen.LIBCMT ref: 00C1836E
                                                                                                                                                                                                                                                                                                                                                                                  • _wcslen.LIBCMT ref: 00C18391
                                                                                                                                                                                                                                                                                                                                                                                  • _wcslen.LIBCMT ref: 00C183B4
                                                                                                                                                                                                                                                                                                                                                                                  • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00C183F2
                                                                                                                                                                                                                                                                                                                                                                                  • LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,00C1361A,?), ref: 00C1844E
                                                                                                                                                                                                                                                                                                                                                                                  • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00C18487
                                                                                                                                                                                                                                                                                                                                                                                  • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00C184CA
                                                                                                                                                                                                                                                                                                                                                                                  • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00C18501
                                                                                                                                                                                                                                                                                                                                                                                  • FreeLibrary.KERNEL32(?), ref: 00C1850D
                                                                                                                                                                                                                                                                                                                                                                                  • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00C1851D
                                                                                                                                                                                                                                                                                                                                                                                  • DestroyIcon.USER32(?), ref: 00C1852C
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00C18549
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00C18555
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: .dll$.exe$.icl$@U=u
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 799131459-1639919054
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: e821cdf14a3edd5d580a9c612b88837fbc5e8434c73564e0b1a10e94c6977065
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 040c38b31bfb55f78721a5b377a48e45352e91389ae19f7e6892a1e66de0f23c
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e821cdf14a3edd5d580a9c612b88837fbc5e8434c73564e0b1a10e94c6977065
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9261E171548205BEEB14DF64CC81BFE77A8FB06710F108649F825D61D1DFB4AA94D7A0
                                                                                                                                                                                                                                                                                                                                                                                  Function 00C0C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00C0C4BD
                                                                                                                                                                                                                                                                                                                                                                                  • RegCreateKeyExW.ADVAPI32(?,?,00000000,00C1CC08,00000000,?,00000000,?,?), ref: 00C0C544
                                                                                                                                                                                                                                                                                                                                                                                  • RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 00C0C5A4
                                                                                                                                                                                                                                                                                                                                                                                  • _wcslen.LIBCMT ref: 00C0C5F4
                                                                                                                                                                                                                                                                                                                                                                                  • _wcslen.LIBCMT ref: 00C0C66F
                                                                                                                                                                                                                                                                                                                                                                                  • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 00C0C6B2
                                                                                                                                                                                                                                                                                                                                                                                  • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 00C0C7C1
                                                                                                                                                                                                                                                                                                                                                                                  • RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 00C0C84D
                                                                                                                                                                                                                                                                                                                                                                                  • RegCloseKey.ADVAPI32(?), ref: 00C0C881
                                                                                                                                                                                                                                                                                                                                                                                  • RegCloseKey.ADVAPI32(00000000), ref: 00C0C88E
                                                                                                                                                                                                                                                                                                                                                                                  • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 00C0C960
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: Value$Close$_wcslen$ConnectCreateRegistry
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 9721498-966354055
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 8f775c0b5ff68c15f801dffec0ad6e59efedde149644889aa05b88111b5a9bad
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 2460fd1a39cc6a7f9c009d0cd242e9e6f29b7cf0c92953c460faf0740f9e818f
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8f775c0b5ff68c15f801dffec0ad6e59efedde149644889aa05b88111b5a9bad
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8E1299356082019FDB14EF14C891B2AB7E5FF89714F14899CF89A9B3A2DB31ED01CB91
                                                                                                                                                                                                                                                                                                                                                                                  Function 00C0C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: _wcslen$BuffCharUpper
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 1256254125-909552448
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: e4c3fd74dc57896750fbe1f2f367c8ab93892b677fe35f03de0720ea78b9068e
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 4e7fc0a375dbede294c008c02c65b8eea23cc61086bad36cdd27a0aa45488e45
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e4c3fd74dc57896750fbe1f2f367c8ab93892b677fe35f03de0720ea78b9068e
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0371E13260416A8BCF20DF6CC9D16BF3395ABA1B54B650728FC66A72C4E735CE45D3A0
                                                                                                                                                                                                                                                                                                                                                                                  Function 00B87778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 0-1645009161
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: e85de937618c77cf499ab3c08e04cc34eb1e890f01617498f92c439735963277
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 3f406d838d98ad59bdc2a4577a7222bfdfdfa6fa0c2ff2ba49097c9b71c12ca9
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e85de937618c77cf499ab3c08e04cc34eb1e890f01617498f92c439735963277
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8381C771688605BBDB21BF60CC46FAE77E4EF16304F1440B4F805AA1A6EB70DD51D791
                                                                                                                                                                                                                                                                                                                                                                                  Function 00C1856F Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 131filecommemoryCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 00C18592
                                                                                                                                                                                                                                                                                                                                                                                  • GetFileSize.KERNEL32(00000000,00000000), ref: 00C185A2
                                                                                                                                                                                                                                                                                                                                                                                  • GlobalAlloc.KERNEL32(00000002,00000000), ref: 00C185AD
                                                                                                                                                                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 00C185BA
                                                                                                                                                                                                                                                                                                                                                                                  • GlobalLock.KERNEL32(00000000), ref: 00C185C8
                                                                                                                                                                                                                                                                                                                                                                                  • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00C185D7
                                                                                                                                                                                                                                                                                                                                                                                  • GlobalUnlock.KERNEL32(00000000), ref: 00C185E0
                                                                                                                                                                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 00C185E7
                                                                                                                                                                                                                                                                                                                                                                                  • CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 00C185F8
                                                                                                                                                                                                                                                                                                                                                                                  • OleLoadPicture.OLEAUT32(?,00000000,00000000,00C1FC38,?), ref: 00C18611
                                                                                                                                                                                                                                                                                                                                                                                  • GlobalFree.KERNEL32(00000000), ref: 00C18621
                                                                                                                                                                                                                                                                                                                                                                                  • GetObjectW.GDI32(?,00000018,000000FF), ref: 00C18641
                                                                                                                                                                                                                                                                                                                                                                                  • CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00C18671
                                                                                                                                                                                                                                                                                                                                                                                  • DeleteObject.GDI32(00000000), ref: 00C18699
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00C186AF
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: @U=u
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 3840717409-2594219639
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 86592b69834aeed7132e07fec5490042e6b806b05552bc7477fc220a6c6c1d8f
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 59588e7ed738bcbd1793643bdd72b2c1db5a79f89f157a55bf58daaaf779f286
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 86592b69834aeed7132e07fec5490042e6b806b05552bc7477fc220a6c6c1d8f
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 17412775640208AFDB119FA5CC88FEE7BB9FF8AB11F108059F915E7260DB309A45DB60
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BA00C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • __scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 00BA00C6
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BA00ED: InitializeCriticalSectionAndSpinCount.KERNEL32(00C5070C,00000FA0,19CDA510,?,?,?,?,00BC23B3,000000FF), ref: 00BA011C
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BA00ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,00BC23B3,000000FF), ref: 00BA0127
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BA00ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,00BC23B3,000000FF), ref: 00BA0138
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BA00ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 00BA014E
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BA00ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00BA015C
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BA00ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00BA016A
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BA00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00BA0195
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BA00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00BA01A0
                                                                                                                                                                                                                                                                                                                                                                                  • ___scrt_fastfail.LIBCMT ref: 00BA00E7
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BA00A3: __onexit.LIBCMT ref: 00BA00A9
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  • InitializeConditionVariable, xrefs: 00BA0148
                                                                                                                                                                                                                                                                                                                                                                                  • kernel32.dll, xrefs: 00BA0133
                                                                                                                                                                                                                                                                                                                                                                                  • api-ms-win-core-synch-l1-2-0.dll, xrefs: 00BA0122
                                                                                                                                                                                                                                                                                                                                                                                  • WakeAllConditionVariable, xrefs: 00BA0162
                                                                                                                                                                                                                                                                                                                                                                                  • SleepConditionVariableCS, xrefs: 00BA0154
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 66158676-1714406822
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: b79058bb99132b61b67c31bcc2edd9fcdc5201c7662de3d1737510004ed359b5
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 0ac006e98a207f5388be851b59311790c42aebe8958fb794f24c01f3c6738284
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b79058bb99132b61b67c31bcc2edd9fcdc5201c7662de3d1737510004ed359b5
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0421F9326987116BE7107F64AC46BED37E4EB47B61F104179F801F22A1DF6498408A90
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BE30F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: _wcslen
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 176396367-1603158881
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 2e17d87528b5b221b1590d1b91aa4efb31333c0d547c64105fabc31a25a08883
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: e7a0b7485b29b416e484f4c8ce0d8439d3357652628eecd9dbbcf2831683cf4d
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2e17d87528b5b221b1590d1b91aa4efb31333c0d547c64105fabc31a25a08883
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E1E1F532A00556ABCF149FA5C499BEEBBF0FF54B10F5481A9E456B7280DB30AE858790
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BF44C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • CharLowerBuffW.USER32(00000000,00000000,00C1CC08), ref: 00BF4527
                                                                                                                                                                                                                                                                                                                                                                                  • _wcslen.LIBCMT ref: 00BF453B
                                                                                                                                                                                                                                                                                                                                                                                  • _wcslen.LIBCMT ref: 00BF4599
                                                                                                                                                                                                                                                                                                                                                                                  • _wcslen.LIBCMT ref: 00BF45F4
                                                                                                                                                                                                                                                                                                                                                                                  • _wcslen.LIBCMT ref: 00BF463F
                                                                                                                                                                                                                                                                                                                                                                                  • _wcslen.LIBCMT ref: 00BF46A7
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00B9F9F2: _wcslen.LIBCMT ref: 00B9F9FD
                                                                                                                                                                                                                                                                                                                                                                                  • GetDriveTypeW.KERNEL32(?,00C46BF0,00000061), ref: 00BF4743
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: _wcslen$BuffCharDriveLowerType
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 2055661098-1000479233
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 925857fe7ffd3d14e6123ba05a90ba5c8a76477d9f8c833c131f533b15b5f512
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: f3301e54b9a30680761112756aa499385443489b982dfb867727fe94a8504d0e
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 925857fe7ffd3d14e6123ba05a90ba5c8a76477d9f8c833c131f533b15b5f512
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 95B1ED716083069BC710EF28C890A7BB7E5FFA6760F50499DF696C72A1D730D948CB92
                                                                                                                                                                                                                                                                                                                                                                                  Function 00C16CD9 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 194windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • DestroyWindow.USER32(00000000,?), ref: 00C16DEB
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00B86B57: _wcslen.LIBCMT ref: 00B86B6A
                                                                                                                                                                                                                                                                                                                                                                                  • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00C16E5F
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00C16E81
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00C16E94
                                                                                                                                                                                                                                                                                                                                                                                  • DestroyWindow.USER32(?), ref: 00C16EB5
                                                                                                                                                                                                                                                                                                                                                                                  • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00B80000,00000000), ref: 00C16EE4
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00C16EFD
                                                                                                                                                                                                                                                                                                                                                                                  • GetDesktopWindow.USER32 ref: 00C16F16
                                                                                                                                                                                                                                                                                                                                                                                  • GetWindowRect.USER32(00000000), ref: 00C16F1D
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00C16F35
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00C16F4D
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00B99944: GetWindowLongW.USER32(?,000000EB), ref: 00B99952
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: 0$@U=u$tooltips_class32
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 2429346358-1130792468
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 48e3533afedaa192d81d79df787da9b30335ed2638d1a6eaf633d7a54d9b2ee2
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 5d998a09a25acade37ed569fee7137e36e00e05ddc4e6eb2db783a49421a679e
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 48e3533afedaa192d81d79df787da9b30335ed2638d1a6eaf633d7a54d9b2ee2
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2C716974244340AFDB21CF58D888BAABBE9FF8A304F04451DF99997261C770EA86DB11
                                                                                                                                                                                                                                                                                                                                                                                  Function 00C1911E Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 181windowfileCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00B99BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00B99BB2
                                                                                                                                                                                                                                                                                                                                                                                  • DragQueryPoint.SHELL32(?,?), ref: 00C19147
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00C17674: ClientToScreen.USER32(?,?), ref: 00C1769A
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00C17674: GetWindowRect.USER32(?,?), ref: 00C17710
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00C17674: PtInRect.USER32(?,?,00C18B89), ref: 00C17720
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(?,000000B0,?,?), ref: 00C191B0
                                                                                                                                                                                                                                                                                                                                                                                  • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00C191BB
                                                                                                                                                                                                                                                                                                                                                                                  • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00C191DE
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(?,000000C2,00000001,?), ref: 00C19225
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(?,000000B0,?,?), ref: 00C1923E
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(?,000000B1,?,?), ref: 00C19255
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(?,000000B1,?,?), ref: 00C19277
                                                                                                                                                                                                                                                                                                                                                                                  • DragFinish.SHELL32(?), ref: 00C1927E
                                                                                                                                                                                                                                                                                                                                                                                  • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00C19371
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$@U=u
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 221274066-762882726
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 47065846f12fe9081c47bc12a0d86d796409214e2bab84f2f376c05d73a98e4c
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: b4b9c5c51c624d8d3e14163909df1e3f040f636016ee6efe5426ba4dfe566e12
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 47065846f12fe9081c47bc12a0d86d796409214e2bab84f2f376c05d73a98e4c
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 85617C71108301AFD701EF64DC85EAFBBE8FF89750F44096EF595921A1DB309A89CB52
                                                                                                                                                                                                                                                                                                                                                                                  Function 00B8326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • GetMenuItemCount.USER32(00C51990), ref: 00BC2F8D
                                                                                                                                                                                                                                                                                                                                                                                  • GetMenuItemCount.USER32(00C51990), ref: 00BC303D
                                                                                                                                                                                                                                                                                                                                                                                  • GetCursorPos.USER32(?), ref: 00BC3081
                                                                                                                                                                                                                                                                                                                                                                                  • SetForegroundWindow.USER32(00000000), ref: 00BC308A
                                                                                                                                                                                                                                                                                                                                                                                  • TrackPopupMenuEx.USER32(00C51990,00000000,?,00000000,00000000,00000000), ref: 00BC309D
                                                                                                                                                                                                                                                                                                                                                                                  • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00BC30A9
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: 0
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 36266755-4108050209
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: f385b97b23c8c31e1c68c6fab42c094db20b22c691cb2c59d3b25afe54396e04
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: a69abcbf8f1c224be3c3f2e38513bb9b9ed35b85ebda3fe3c690dd1d06138166
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f385b97b23c8c31e1c68c6fab42c094db20b22c691cb2c59d3b25afe54396e04
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 02711971644209BFEB219F28CC89FAABFE5FF05724F20425AF515661E0C7B1AD50D790
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BFC476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00BFC4B0
                                                                                                                                                                                                                                                                                                                                                                                  • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00BFC4C3
                                                                                                                                                                                                                                                                                                                                                                                  • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00BFC4D7
                                                                                                                                                                                                                                                                                                                                                                                  • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00BFC4F0
                                                                                                                                                                                                                                                                                                                                                                                  • InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 00BFC533
                                                                                                                                                                                                                                                                                                                                                                                  • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00BFC549
                                                                                                                                                                                                                                                                                                                                                                                  • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00BFC554
                                                                                                                                                                                                                                                                                                                                                                                  • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00BFC584
                                                                                                                                                                                                                                                                                                                                                                                  • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00BFC5DC
                                                                                                                                                                                                                                                                                                                                                                                  • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00BFC5F0
                                                                                                                                                                                                                                                                                                                                                                                  • InternetCloseHandle.WININET(00000000), ref: 00BFC5FB
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 3800310941-3916222277
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 91c2bf5d4ed2a64e9cd2751bde4de601b8fd68098b63e5ca6a7c5f9186e121eb
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: ff81755d4546d0e53e2b55220173ea3f3b6a7c2ef336b7142d141f4d9f2e4e58
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 91c2bf5d4ed2a64e9cd2751bde4de601b8fd68098b63e5ca6a7c5f9186e121eb
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6D5149B154020DBFDB218F648A89BBA7FFCFB19754F008459FA45D7250DB70E9889BA0
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BF14BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • VariantInit.OLEAUT32(00000000), ref: 00BF1502
                                                                                                                                                                                                                                                                                                                                                                                  • VariantCopy.OLEAUT32(?,?), ref: 00BF150B
                                                                                                                                                                                                                                                                                                                                                                                  • VariantClear.OLEAUT32(?), ref: 00BF1517
                                                                                                                                                                                                                                                                                                                                                                                  • VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 00BF15FB
                                                                                                                                                                                                                                                                                                                                                                                  • VarR8FromDec.OLEAUT32(?,?), ref: 00BF1657
                                                                                                                                                                                                                                                                                                                                                                                  • VariantInit.OLEAUT32(?), ref: 00BF1708
                                                                                                                                                                                                                                                                                                                                                                                  • SysFreeString.OLEAUT32(?), ref: 00BF178C
                                                                                                                                                                                                                                                                                                                                                                                  • VariantClear.OLEAUT32(?), ref: 00BF17D8
                                                                                                                                                                                                                                                                                                                                                                                  • VariantClear.OLEAUT32(?), ref: 00BF17E7
                                                                                                                                                                                                                                                                                                                                                                                  • VariantInit.OLEAUT32(00000000), ref: 00BF1823
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: %4d%02d%02d%02d%02d%02d$Default
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 1234038744-3931177956
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 711c8e2627fdd871c54c6282a61886e6b311d80e754e2eef621c48e8f816e581
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 93d1022545f1bad31fbb9af8af68ad08f69c4215eba2cf9d2765f3abcedf49d5
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 711c8e2627fdd871c54c6282a61886e6b311d80e754e2eef621c48e8f816e581
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 42D1DD71A00119EBDB04AF69D884BB9B7F6FF45700F108CA6E606AB190DB30DC59DBA1
                                                                                                                                                                                                                                                                                                                                                                                  Function 00C0B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00B89CB3: _wcslen.LIBCMT ref: 00B89CBD
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00C0C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00C0B6AE,?,?), ref: 00C0C9B5
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00C0C998: _wcslen.LIBCMT ref: 00C0C9F1
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00C0C998: _wcslen.LIBCMT ref: 00C0CA68
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00C0C998: _wcslen.LIBCMT ref: 00C0CA9E
                                                                                                                                                                                                                                                                                                                                                                                  • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00C0B6F4
                                                                                                                                                                                                                                                                                                                                                                                  • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00C0B772
                                                                                                                                                                                                                                                                                                                                                                                  • RegDeleteValueW.ADVAPI32(?,?), ref: 00C0B80A
                                                                                                                                                                                                                                                                                                                                                                                  • RegCloseKey.ADVAPI32(?), ref: 00C0B87E
                                                                                                                                                                                                                                                                                                                                                                                  • RegCloseKey.ADVAPI32(?), ref: 00C0B89C
                                                                                                                                                                                                                                                                                                                                                                                  • LoadLibraryA.KERNEL32(advapi32.dll), ref: 00C0B8F2
                                                                                                                                                                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00C0B904
                                                                                                                                                                                                                                                                                                                                                                                  • RegDeleteKeyW.ADVAPI32(?,?), ref: 00C0B922
                                                                                                                                                                                                                                                                                                                                                                                  • FreeLibrary.KERNEL32(00000000), ref: 00C0B983
                                                                                                                                                                                                                                                                                                                                                                                  • RegCloseKey.ADVAPI32(00000000), ref: 00C0B994
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: RegDeleteKeyExW$advapi32.dll
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 146587525-4033151799
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 6ea45c8ef2b2dcafb592b6605ec2278f2b76de7798a401ef09736cdb56af8328
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 88574990cc43e1f4a93d1411937be5fab52b7fee62f1e272af21b9958c77b07a
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6ea45c8ef2b2dcafb592b6605ec2278f2b76de7798a401ef09736cdb56af8328
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 02C15A35208201AFD714DF28C495F2ABBE5FF85318F14859CF5AA8B2A2CB71ED45CB91
                                                                                                                                                                                                                                                                                                                                                                                  Function 00C1541D Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 191windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00C15504
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00C15515
                                                                                                                                                                                                                                                                                                                                                                                  • CharNextW.USER32(00000158), ref: 00C15544
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00C15585
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00C1559B
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00C155AC
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: MessageSend$CharNext
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: @U=u
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 1350042424-2594219639
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 8e598df0f13eeda9a3a6971ab5b557a1cb53082d12e5e6ab677907c1197ab951
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 6cf6a18d60647c991d5de3b988a714161cc949280b68ffcfe91eed722025db7b
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8e598df0f13eeda9a3a6971ab5b557a1cb53082d12e5e6ab677907c1197ab951
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B4617A74900608EFDF109F95CC84AFE7BB9FB8B721F108145F925AA290D7748AC1EB61
                                                                                                                                                                                                                                                                                                                                                                                  Function 00C0255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • GetDC.USER32(00000000), ref: 00C025D8
                                                                                                                                                                                                                                                                                                                                                                                  • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00C025E8
                                                                                                                                                                                                                                                                                                                                                                                  • CreateCompatibleDC.GDI32(?), ref: 00C025F4
                                                                                                                                                                                                                                                                                                                                                                                  • SelectObject.GDI32(00000000,?), ref: 00C02601
                                                                                                                                                                                                                                                                                                                                                                                  • StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 00C0266D
                                                                                                                                                                                                                                                                                                                                                                                  • GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 00C026AC
                                                                                                                                                                                                                                                                                                                                                                                  • GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 00C026D0
                                                                                                                                                                                                                                                                                                                                                                                  • SelectObject.GDI32(?,?), ref: 00C026D8
                                                                                                                                                                                                                                                                                                                                                                                  • DeleteObject.GDI32(?), ref: 00C026E1
                                                                                                                                                                                                                                                                                                                                                                                  • DeleteDC.GDI32(?), ref: 00C026E8
                                                                                                                                                                                                                                                                                                                                                                                  • ReleaseDC.USER32(00000000,?), ref: 00C026F3
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: (
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 2598888154-3887548279
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: c87668bf722e8fcc9f4efa7b79bb1329370c35569bc6a4a26944088e87f93791
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 249aa141793bfb37ddd58e99f2a6e51fd744a72bd58184a2ebfb6c32b4cbe650
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c87668bf722e8fcc9f4efa7b79bb1329370c35569bc6a4a26944088e87f93791
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9961D175D00219EFCF04CFA8D888AAEBBB6FF48310F208569F955A7250D771A941DF50
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BEE6B0 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 72sleepwindowtimeCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • timeGetTime.WINMM ref: 00BEE6B4
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00B9E551: timeGetTime.WINMM(?,?,00BEE6D4), ref: 00B9E555
                                                                                                                                                                                                                                                                                                                                                                                  • Sleep.KERNEL32(0000000A), ref: 00BEE6E1
                                                                                                                                                                                                                                                                                                                                                                                  • EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 00BEE705
                                                                                                                                                                                                                                                                                                                                                                                  • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00BEE727
                                                                                                                                                                                                                                                                                                                                                                                  • SetActiveWindow.USER32 ref: 00BEE746
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00BEE754
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(00000010,00000000,00000000), ref: 00BEE773
                                                                                                                                                                                                                                                                                                                                                                                  • Sleep.KERNEL32(000000FA), ref: 00BEE77E
                                                                                                                                                                                                                                                                                                                                                                                  • IsWindow.USER32 ref: 00BEE78A
                                                                                                                                                                                                                                                                                                                                                                                  • EndDialog.USER32(00000000), ref: 00BEE79B
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: @U=u$BUTTON
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 1194449130-2582809321
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 21fbfff4c7c4cf1252ffd8e89d39ec04634c373cfdac778a5c00476e04e8197c
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: fb89c3fa2aa4afdc71279dc99a61044e6537831c62a0f3c37b0d4a193ee9dac8
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 21fbfff4c7c4cf1252ffd8e89d39ec04634c373cfdac778a5c00476e04e8197c
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D2219374240785AFEB005F21ECC9B6D3BE9F75674AF105464F825921B1DF71EC809B24
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BBDA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • ___free_lconv_mon.LIBCMT ref: 00BBDAA1
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BBD63C: _free.LIBCMT ref: 00BBD659
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BBD63C: _free.LIBCMT ref: 00BBD66B
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BBD63C: _free.LIBCMT ref: 00BBD67D
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BBD63C: _free.LIBCMT ref: 00BBD68F
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BBD63C: _free.LIBCMT ref: 00BBD6A1
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BBD63C: _free.LIBCMT ref: 00BBD6B3
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BBD63C: _free.LIBCMT ref: 00BBD6C5
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BBD63C: _free.LIBCMT ref: 00BBD6D7
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BBD63C: _free.LIBCMT ref: 00BBD6E9
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BBD63C: _free.LIBCMT ref: 00BBD6FB
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BBD63C: _free.LIBCMT ref: 00BBD70D
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BBD63C: _free.LIBCMT ref: 00BBD71F
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BBD63C: _free.LIBCMT ref: 00BBD731
                                                                                                                                                                                                                                                                                                                                                                                  • _free.LIBCMT ref: 00BBDA96
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BB29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00BBD7D1,00000000,00000000,00000000,00000000,?,00BBD7F8,00000000,00000007,00000000,?,00BBDBF5,00000000), ref: 00BB29DE
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BB29C8: GetLastError.KERNEL32(00000000,?,00BBD7D1,00000000,00000000,00000000,00000000,?,00BBD7F8,00000000,00000007,00000000,?,00BBDBF5,00000000,00000000), ref: 00BB29F0
                                                                                                                                                                                                                                                                                                                                                                                  • _free.LIBCMT ref: 00BBDAB8
                                                                                                                                                                                                                                                                                                                                                                                  • _free.LIBCMT ref: 00BBDACD
                                                                                                                                                                                                                                                                                                                                                                                  • _free.LIBCMT ref: 00BBDAD8
                                                                                                                                                                                                                                                                                                                                                                                  • _free.LIBCMT ref: 00BBDAFA
                                                                                                                                                                                                                                                                                                                                                                                  • _free.LIBCMT ref: 00BBDB0D
                                                                                                                                                                                                                                                                                                                                                                                  • _free.LIBCMT ref: 00BBDB1B
                                                                                                                                                                                                                                                                                                                                                                                  • _free.LIBCMT ref: 00BBDB26
                                                                                                                                                                                                                                                                                                                                                                                  • _free.LIBCMT ref: 00BBDB5E
                                                                                                                                                                                                                                                                                                                                                                                  • _free.LIBCMT ref: 00BBDB65
                                                                                                                                                                                                                                                                                                                                                                                  • _free.LIBCMT ref: 00BBDB82
                                                                                                                                                                                                                                                                                                                                                                                  • _free.LIBCMT ref: 00BBDB9A
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 161543041-0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 00451ce743cd980f4a11742ae55feb000ce5c797f7b674d8ea39ce659af3bc85
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: f4cadcfec718cfc93fcc0a2fc3f2129284dc2f8e2081eed15f7c314d644d05ce
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 00451ce743cd980f4a11742ae55feb000ce5c797f7b674d8ea39ce659af3bc85
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: CD311D71604605AFDB31AB39D845BF6B7E9FF00310F1548A9E489D7291EAF9EC40C724
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BE365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • GetClassNameW.USER32(?,?,00000100), ref: 00BE369C
                                                                                                                                                                                                                                                                                                                                                                                  • _wcslen.LIBCMT ref: 00BE36A7
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00BE3797
                                                                                                                                                                                                                                                                                                                                                                                  • GetClassNameW.USER32(?,?,00000400), ref: 00BE380C
                                                                                                                                                                                                                                                                                                                                                                                  • GetDlgCtrlID.USER32(?), ref: 00BE385D
                                                                                                                                                                                                                                                                                                                                                                                  • GetWindowRect.USER32(?,?), ref: 00BE3882
                                                                                                                                                                                                                                                                                                                                                                                  • GetParent.USER32(?), ref: 00BE38A0
                                                                                                                                                                                                                                                                                                                                                                                  • ScreenToClient.USER32(00000000), ref: 00BE38A7
                                                                                                                                                                                                                                                                                                                                                                                  • GetClassNameW.USER32(?,?,00000100), ref: 00BE3921
                                                                                                                                                                                                                                                                                                                                                                                  • GetWindowTextW.USER32(?,?,00000400), ref: 00BE395D
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: %s%u
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 4010501982-679674701
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 4cdba3d8acf670856fe319c797af9aea004a8aea392e1dc2fd5a4563b6a53d6f
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 12474cbfab19fdd42ad61b59aa5852adc5056987f27fe983fde8c44d0ef511e7
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4cdba3d8acf670856fe319c797af9aea004a8aea392e1dc2fd5a4563b6a53d6f
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: FF91B071204746AFDB18DF26C889FAAB7E8FF44710F008569F99AC3191DB30EA55CB91
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BE4954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • GetClassNameW.USER32(?,?,00000400), ref: 00BE4994
                                                                                                                                                                                                                                                                                                                                                                                  • GetWindowTextW.USER32(?,?,00000400), ref: 00BE49DA
                                                                                                                                                                                                                                                                                                                                                                                  • _wcslen.LIBCMT ref: 00BE49EB
                                                                                                                                                                                                                                                                                                                                                                                  • CharUpperBuffW.USER32(?,00000000), ref: 00BE49F7
                                                                                                                                                                                                                                                                                                                                                                                  • _wcsstr.LIBVCRUNTIME ref: 00BE4A2C
                                                                                                                                                                                                                                                                                                                                                                                  • GetClassNameW.USER32(00000018,?,00000400), ref: 00BE4A64
                                                                                                                                                                                                                                                                                                                                                                                  • GetWindowTextW.USER32(?,?,00000400), ref: 00BE4A9D
                                                                                                                                                                                                                                                                                                                                                                                  • GetClassNameW.USER32(00000018,?,00000400), ref: 00BE4AE6
                                                                                                                                                                                                                                                                                                                                                                                  • GetClassNameW.USER32(?,?,00000400), ref: 00BE4B20
                                                                                                                                                                                                                                                                                                                                                                                  • GetWindowRect.USER32(?,?), ref: 00BE4B8B
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: ThumbnailClass
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 1311036022-1241985126
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 3e0588123a48669e39085c5d849ed3f13607ff4bc5fe53fc4e1d38d8c7ed475c
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 787d87b920621c76015d2fe29587061ad7015da29b7f0c83fdff6f30bf4a1d93
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3e0588123a48669e39085c5d849ed3f13607ff4bc5fe53fc4e1d38d8c7ed475c
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A591CE710083459FDB04DF26C985FAAB7E8FF84314F0484A9FD869A196EB34ED45CBA1
                                                                                                                                                                                                                                                                                                                                                                                  Function 00C18D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00B99BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00B99BB2
                                                                                                                                                                                                                                                                                                                                                                                  • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00C18D5A
                                                                                                                                                                                                                                                                                                                                                                                  • GetFocus.USER32 ref: 00C18D6A
                                                                                                                                                                                                                                                                                                                                                                                  • GetDlgCtrlID.USER32(00000000), ref: 00C18D75
                                                                                                                                                                                                                                                                                                                                                                                  • DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 00C18E1D
                                                                                                                                                                                                                                                                                                                                                                                  • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00C18ECF
                                                                                                                                                                                                                                                                                                                                                                                  • GetMenuItemCount.USER32(?), ref: 00C18EEC
                                                                                                                                                                                                                                                                                                                                                                                  • GetMenuItemID.USER32(?,00000000), ref: 00C18EFC
                                                                                                                                                                                                                                                                                                                                                                                  • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00C18F2E
                                                                                                                                                                                                                                                                                                                                                                                  • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00C18F70
                                                                                                                                                                                                                                                                                                                                                                                  • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00C18FA1
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: 0
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 1026556194-4108050209
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: c0677628da5b736b22000db6be297f1c472e2216e726bc7f82ad50a6d94086a3
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: cd40c08cd7d0b683d24133a3adf0c2bbeb3560d972037a821be08ca0111120cc
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c0677628da5b736b22000db6be297f1c472e2216e726bc7f82ad50a6d94086a3
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5181CF715083019FDB10CF14D884AEB7BEAFF8A314F14095DF99597291DB30DA89EBA1
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BEDC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • GetFileVersionInfoSizeW.VERSION(?,?), ref: 00BEDC20
                                                                                                                                                                                                                                                                                                                                                                                  • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00BEDC46
                                                                                                                                                                                                                                                                                                                                                                                  • _wcslen.LIBCMT ref: 00BEDC50
                                                                                                                                                                                                                                                                                                                                                                                  • _wcsstr.LIBVCRUNTIME ref: 00BEDCA0
                                                                                                                                                                                                                                                                                                                                                                                  • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00BEDCBC
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 1939486746-1459072770
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 2ed81829ba6fbeceb3c75585bde43fc043dc1fb890bc5b68eb03fef0283105a0
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 8d46c9a7e32223a0303f703410e607175e589debede2c7395167adb68156785c
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2ed81829ba6fbeceb3c75585bde43fc043dc1fb890bc5b68eb03fef0283105a0
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7641F072A442017BDB10AB659C87EFF77ECEF43760F1040B9F900E6192EBB49A0197A5
                                                                                                                                                                                                                                                                                                                                                                                  Function 00C0CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00C0CC64
                                                                                                                                                                                                                                                                                                                                                                                  • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 00C0CC8D
                                                                                                                                                                                                                                                                                                                                                                                  • FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00C0CD48
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00C0CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 00C0CCAA
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00C0CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 00C0CCBD
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00C0CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00C0CCCF
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00C0CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00C0CD05
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00C0CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00C0CD28
                                                                                                                                                                                                                                                                                                                                                                                  • RegDeleteKeyW.ADVAPI32(?,?), ref: 00C0CCF3
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: RegDeleteKeyExW$advapi32.dll
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 2734957052-4033151799
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 4399f27ef1a1ec2a8f96fdad2ef7ae95690ed365ca7e9a0c1d82855a2590b4f4
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 08eaefc928002f37334a0f8516576f36d10b18a8fb124f30180f1457b6559eaa
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4399f27ef1a1ec2a8f96fdad2ef7ae95690ed365ca7e9a0c1d82855a2590b4f4
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F3316B71941228BBDB208B51DCC8FEFBB7CEF06750F004265F916E2280DB349A45DAA0
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BEE9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00B89CB3: _wcslen.LIBCMT ref: 00B89CBD
                                                                                                                                                                                                                                                                                                                                                                                  • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00BEEA5D
                                                                                                                                                                                                                                                                                                                                                                                  • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00BEEA73
                                                                                                                                                                                                                                                                                                                                                                                  • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00BEEA84
                                                                                                                                                                                                                                                                                                                                                                                  • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00BEEA96
                                                                                                                                                                                                                                                                                                                                                                                  • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00BEEAA7
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: SendString$_wcslen
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 2420728520-1007645807
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: a5850bd031eaef1b139d66a412224be708c61b55b54ceb6022b045e088f6c700
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: ed0105224c718aa6e8adbd9d8e06c095547aad7b308374d9cda28d27566d5e0b
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a5850bd031eaef1b139d66a412224be708c61b55b54ceb6022b045e088f6c700
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F111543165025979D720B762DC4AEFF6AFCFBD2F40F040479B411A20D5EBB04945C6B1
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BE5CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • GetDlgItem.USER32(?,00000001), ref: 00BE5CE2
                                                                                                                                                                                                                                                                                                                                                                                  • GetWindowRect.USER32(00000000,?), ref: 00BE5CFB
                                                                                                                                                                                                                                                                                                                                                                                  • MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00BE5D59
                                                                                                                                                                                                                                                                                                                                                                                  • GetDlgItem.USER32(?,00000002), ref: 00BE5D69
                                                                                                                                                                                                                                                                                                                                                                                  • GetWindowRect.USER32(00000000,?), ref: 00BE5D7B
                                                                                                                                                                                                                                                                                                                                                                                  • MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00BE5DCF
                                                                                                                                                                                                                                                                                                                                                                                  • GetDlgItem.USER32(?,000003E9), ref: 00BE5DDD
                                                                                                                                                                                                                                                                                                                                                                                  • GetWindowRect.USER32(00000000,?), ref: 00BE5DEF
                                                                                                                                                                                                                                                                                                                                                                                  • MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00BE5E31
                                                                                                                                                                                                                                                                                                                                                                                  • GetDlgItem.USER32(?,000003EA), ref: 00BE5E44
                                                                                                                                                                                                                                                                                                                                                                                  • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00BE5E5A
                                                                                                                                                                                                                                                                                                                                                                                  • InvalidateRect.USER32(?,00000000,00000001), ref: 00BE5E67
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: Window$ItemMoveRect$Invalidate
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 3096461208-0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: efcd2f4c4db9675588ed3e294f7c3db04a09e15bd5993519ea6da509f74a035d
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: b4281aaa00ce70056f01f5536662e3c050df75e705f948d298067eee50593ece
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: efcd2f4c4db9675588ed3e294f7c3db04a09e15bd5993519ea6da509f74a035d
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4C512CB0A40609AFDB18CF69CD89BAEBBF5FB49304F108169F915E7290D7709E00CB50
                                                                                                                                                                                                                                                                                                                                                                                  Function 00B98BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00B98F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00B98BE8,?,00000000,?,?,?,?,00B98BBA,00000000,?), ref: 00B98FC5
                                                                                                                                                                                                                                                                                                                                                                                  • DestroyWindow.USER32(?), ref: 00B98C81
                                                                                                                                                                                                                                                                                                                                                                                  • KillTimer.USER32(00000000,?,?,?,?,00B98BBA,00000000,?), ref: 00B98D1B
                                                                                                                                                                                                                                                                                                                                                                                  • DestroyAcceleratorTable.USER32(00000000), ref: 00BD6973
                                                                                                                                                                                                                                                                                                                                                                                  • ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00B98BBA,00000000,?), ref: 00BD69A1
                                                                                                                                                                                                                                                                                                                                                                                  • ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00B98BBA,00000000,?), ref: 00BD69B8
                                                                                                                                                                                                                                                                                                                                                                                  • ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00B98BBA,00000000), ref: 00BD69D4
                                                                                                                                                                                                                                                                                                                                                                                  • DeleteObject.GDI32(00000000), ref: 00BD69E6
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 641708696-0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 647157bb0898848eff91806abf3760cfce1f6e63de7179261a3a84d9bb5be0c8
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: a6c2a1bbc628f02ac690099bd97ca8537be98aff1485d2c5c9531be2a781bf03
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 647157bb0898848eff91806abf3760cfce1f6e63de7179261a3a84d9bb5be0c8
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 86617C34502700DFCF259F14D998B69B7F1FB46312F1885ADE442AB6A0CB75ADD0DB90
                                                                                                                                                                                                                                                                                                                                                                                  Function 00B99838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00B99944: GetWindowLongW.USER32(?,000000EB), ref: 00B99952
                                                                                                                                                                                                                                                                                                                                                                                  • GetSysColor.USER32(0000000F), ref: 00B99862
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: ColorLongWindow
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 259745315-0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 71b59f87b5bb95ea73b8c6e2102c01206e3d3a509b0abc2e982e1799245ffaa5
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: dd784092c0918b3ea5f0b27d29233d22dc5bb3b5ce12108af1ee3609200a189b
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 71b59f87b5bb95ea73b8c6e2102c01206e3d3a509b0abc2e982e1799245ffaa5
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3C416E31184640AADF205B3C9CC8BB97BA5FB17371F2486ADF9A2872E1E7319841DB11
                                                                                                                                                                                                                                                                                                                                                                                  Function 00B98B06 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 155windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00BD6890
                                                                                                                                                                                                                                                                                                                                                                                  • ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 00BD68A9
                                                                                                                                                                                                                                                                                                                                                                                  • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00BD68B9
                                                                                                                                                                                                                                                                                                                                                                                  • ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 00BD68D1
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00BD68F2
                                                                                                                                                                                                                                                                                                                                                                                  • DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00B98874,00000000,00000000,00000000,000000FF,00000000), ref: 00BD6901
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00BD691E
                                                                                                                                                                                                                                                                                                                                                                                  • DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00B98874,00000000,00000000,00000000,000000FF,00000000), ref: 00BD692D
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: Icon$DestroyExtractImageLoadMessageSend
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: @U=u
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 1268354404-2594219639
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 3ad3012eecb8f4722894ef5af26e8e31d8a63b95ddcb50d052d461fad9b2b251
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 6c5a862a928a674f1183f39ab86c8928f5e959e78a273c52de569b5a8661b4b1
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3ad3012eecb8f4722894ef5af26e8e31d8a63b95ddcb50d052d461fad9b2b251
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6C516970600209EFDF20CF24CC95BAA7BF5FB49760F144569F916972A0EB72E990DB50
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BE96E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,00BCF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00BE9717
                                                                                                                                                                                                                                                                                                                                                                                  • LoadStringW.USER32(00000000,?,00BCF7F8,00000001), ref: 00BE9720
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00B89CB3: _wcslen.LIBCMT ref: 00B89CBD
                                                                                                                                                                                                                                                                                                                                                                                  • GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,00BCF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00BE9742
                                                                                                                                                                                                                                                                                                                                                                                  • LoadStringW.USER32(00000000,?,00BCF7F8,00000001), ref: 00BE9745
                                                                                                                                                                                                                                                                                                                                                                                  • MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00BE9866
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: HandleLoadModuleString$Message_wcslen
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 747408836-2268648507
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: dea0102ed1329de3136b24865e25798655440bc4d3b96450dc3b65ae51884a8a
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 5031c2071ad3cbb5e47c00fc426b54b4cdd5d7814eeea048073fefb7ea1d4409
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: dea0102ed1329de3136b24865e25798655440bc4d3b96450dc3b65ae51884a8a
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E6413B72800219AACF04FBE0CD86EFEB7B8AF15740F5400A5F605720A2EB356F49CB61
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BE06DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00B86B57: _wcslen.LIBCMT ref: 00B86B6A
                                                                                                                                                                                                                                                                                                                                                                                  • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00BE07A2
                                                                                                                                                                                                                                                                                                                                                                                  • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00BE07BE
                                                                                                                                                                                                                                                                                                                                                                                  • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00BE07DA
                                                                                                                                                                                                                                                                                                                                                                                  • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00BE0804
                                                                                                                                                                                                                                                                                                                                                                                  • CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 00BE082C
                                                                                                                                                                                                                                                                                                                                                                                  • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00BE0837
                                                                                                                                                                                                                                                                                                                                                                                  • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00BE083C
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 323675364-22481851
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 9eca6cbb75b95e9d6e6ceafbff2933d0d261813923019b2ce75b3a6171eef144
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 2b74583f95c9d41dbfa38e397fea7a08fbd7c1083fe33d17ab9e57a26c8d88ae
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9eca6cbb75b95e9d6e6ceafbff2933d0d261813923019b2ce75b3a6171eef144
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6B410672C10229ABDF11FBA4DC85DEDB7B8FF14750B0441A9F901A31A1EB749E45CBA0
                                                                                                                                                                                                                                                                                                                                                                                  Function 00C03C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • VariantInit.OLEAUT32(?), ref: 00C03C5C
                                                                                                                                                                                                                                                                                                                                                                                  • CoInitialize.OLE32(00000000), ref: 00C03C8A
                                                                                                                                                                                                                                                                                                                                                                                  • CoUninitialize.OLE32 ref: 00C03C94
                                                                                                                                                                                                                                                                                                                                                                                  • _wcslen.LIBCMT ref: 00C03D2D
                                                                                                                                                                                                                                                                                                                                                                                  • GetRunningObjectTable.OLE32(00000000,?), ref: 00C03DB1
                                                                                                                                                                                                                                                                                                                                                                                  • SetErrorMode.KERNEL32(00000001,00000029), ref: 00C03ED5
                                                                                                                                                                                                                                                                                                                                                                                  • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00C03F0E
                                                                                                                                                                                                                                                                                                                                                                                  • CoGetObject.OLE32(?,00000000,00C1FB98,?), ref: 00C03F2D
                                                                                                                                                                                                                                                                                                                                                                                  • SetErrorMode.KERNEL32(00000000), ref: 00C03F40
                                                                                                                                                                                                                                                                                                                                                                                  • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00C03FC4
                                                                                                                                                                                                                                                                                                                                                                                  • VariantClear.OLEAUT32(?), ref: 00C03FD8
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 429561992-0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 2874a25538e77af7068b9579097984a3a7c537c51b816907fbd9a773bf0502f7
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 7f5b0de743ffb30843aea8e5a2609b05f8d351730d670f57cc208a77164155dc
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2874a25538e77af7068b9579097984a3a7c537c51b816907fbd9a773bf0502f7
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 65C166716083419FD700DF68C88496BBBE9FF89744F10495DF99A9B2A0D730EE45CB52
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BF7A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • CoInitialize.OLE32(00000000), ref: 00BF7AF3
                                                                                                                                                                                                                                                                                                                                                                                  • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00BF7B8F
                                                                                                                                                                                                                                                                                                                                                                                  • SHGetDesktopFolder.SHELL32(?), ref: 00BF7BA3
                                                                                                                                                                                                                                                                                                                                                                                  • CoCreateInstance.OLE32(00C1FD08,00000000,00000001,00C46E6C,?), ref: 00BF7BEF
                                                                                                                                                                                                                                                                                                                                                                                  • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00BF7C74
                                                                                                                                                                                                                                                                                                                                                                                  • CoTaskMemFree.OLE32(?,?), ref: 00BF7CCC
                                                                                                                                                                                                                                                                                                                                                                                  • SHBrowseForFolderW.SHELL32(?), ref: 00BF7D57
                                                                                                                                                                                                                                                                                                                                                                                  • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00BF7D7A
                                                                                                                                                                                                                                                                                                                                                                                  • CoTaskMemFree.OLE32(00000000), ref: 00BF7D81
                                                                                                                                                                                                                                                                                                                                                                                  • CoTaskMemFree.OLE32(00000000), ref: 00BF7DD6
                                                                                                                                                                                                                                                                                                                                                                                  • CoUninitialize.OLE32 ref: 00BF7DDC
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 2762341140-0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 0cacad64e539851c0813074425ed75db7753975c9fd018d60643bf0cbc2fb79a
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 94febdb004580853610c95c273403b3373563950319e30cb542982b53f4427fc
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0cacad64e539851c0813074425ed75db7753975c9fd018d60643bf0cbc2fb79a
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D8C13A75A04109AFDB14DFA4C898DAEBBF9FF49304B1484E8F9199B261DB30ED45CB90
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BDFA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00BDFAAF
                                                                                                                                                                                                                                                                                                                                                                                  • SafeArrayAllocData.OLEAUT32(?), ref: 00BDFB08
                                                                                                                                                                                                                                                                                                                                                                                  • VariantInit.OLEAUT32(?), ref: 00BDFB1A
                                                                                                                                                                                                                                                                                                                                                                                  • SafeArrayAccessData.OLEAUT32(?,?), ref: 00BDFB3A
                                                                                                                                                                                                                                                                                                                                                                                  • VariantCopy.OLEAUT32(?,?), ref: 00BDFB8D
                                                                                                                                                                                                                                                                                                                                                                                  • SafeArrayUnaccessData.OLEAUT32(?), ref: 00BDFBA1
                                                                                                                                                                                                                                                                                                                                                                                  • VariantClear.OLEAUT32(?), ref: 00BDFBB6
                                                                                                                                                                                                                                                                                                                                                                                  • SafeArrayDestroyData.OLEAUT32(?), ref: 00BDFBC3
                                                                                                                                                                                                                                                                                                                                                                                  • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00BDFBCC
                                                                                                                                                                                                                                                                                                                                                                                  • VariantClear.OLEAUT32(?), ref: 00BDFBDE
                                                                                                                                                                                                                                                                                                                                                                                  • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00BDFBE9
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 2706829360-0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: d152e6387c36d9d147ec83b71f58bbe96699b476bd7e13c883ddefb091d5d60c
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: fa1f331e5ab9535a79f5b474ff50141ac18fc54388900108a7fb991870c60061
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d152e6387c36d9d147ec83b71f58bbe96699b476bd7e13c883ddefb091d5d60c
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 28414F35A0421A9FDB00DF64D894AFDBBB9FF08344F00806AF946A7261D730A945CB90
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BE9C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • GetKeyboardState.USER32(?), ref: 00BE9CA1
                                                                                                                                                                                                                                                                                                                                                                                  • GetAsyncKeyState.USER32(000000A0), ref: 00BE9D22
                                                                                                                                                                                                                                                                                                                                                                                  • GetKeyState.USER32(000000A0), ref: 00BE9D3D
                                                                                                                                                                                                                                                                                                                                                                                  • GetAsyncKeyState.USER32(000000A1), ref: 00BE9D57
                                                                                                                                                                                                                                                                                                                                                                                  • GetKeyState.USER32(000000A1), ref: 00BE9D6C
                                                                                                                                                                                                                                                                                                                                                                                  • GetAsyncKeyState.USER32(00000011), ref: 00BE9D84
                                                                                                                                                                                                                                                                                                                                                                                  • GetKeyState.USER32(00000011), ref: 00BE9D96
                                                                                                                                                                                                                                                                                                                                                                                  • GetAsyncKeyState.USER32(00000012), ref: 00BE9DAE
                                                                                                                                                                                                                                                                                                                                                                                  • GetKeyState.USER32(00000012), ref: 00BE9DC0
                                                                                                                                                                                                                                                                                                                                                                                  • GetAsyncKeyState.USER32(0000005B), ref: 00BE9DD8
                                                                                                                                                                                                                                                                                                                                                                                  • GetKeyState.USER32(0000005B), ref: 00BE9DEA
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: State$Async$Keyboard
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 541375521-0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 1745c3adef0e82cd83817dbefd1a4056b3e04224af4d75ce299a3fc99ff2a9ca
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: c7c2bc6c940ff89f8a7b276f0a44b4f15ba1bc8b827c93f1edc70c29533faa12
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1745c3adef0e82cd83817dbefd1a4056b3e04224af4d75ce299a3fc99ff2a9ca
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6241D6345047D969FF30966688443F5BEE1EF12344F08C0EADAC6566C2DBA499CCC7A2
                                                                                                                                                                                                                                                                                                                                                                                  Function 00C0055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • WSAStartup.WSOCK32(00000101,?), ref: 00C005BC
                                                                                                                                                                                                                                                                                                                                                                                  • inet_addr.WSOCK32(?), ref: 00C0061C
                                                                                                                                                                                                                                                                                                                                                                                  • gethostbyname.WSOCK32(?), ref: 00C00628
                                                                                                                                                                                                                                                                                                                                                                                  • IcmpCreateFile.IPHLPAPI ref: 00C00636
                                                                                                                                                                                                                                                                                                                                                                                  • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00C006C6
                                                                                                                                                                                                                                                                                                                                                                                  • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00C006E5
                                                                                                                                                                                                                                                                                                                                                                                  • IcmpCloseHandle.IPHLPAPI(?), ref: 00C007B9
                                                                                                                                                                                                                                                                                                                                                                                  • WSACleanup.WSOCK32 ref: 00C007BF
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: Ping
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 1028309954-2246546115
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: c38bf8719957abb66213fcd89a316a30cdc18eb7314626bf4e097ac621c48881
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: f1b32e57c00f2102c8609e1c78c043eb8a2ae8a647f4d4ae65d498a24ca90ea4
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c38bf8719957abb66213fcd89a316a30cdc18eb7314626bf4e097ac621c48881
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A99180756082019FD720DF19C888F1ABBE0BF45318F2585A9F4698B6A2C774ED45CF91
                                                                                                                                                                                                                                                                                                                                                                                  Function 00C08CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: _wcslen$BuffCharLower
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: cdecl$none$stdcall$winapi
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 707087890-567219261
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: cc5b3f66d7cc1e7482fa3eca4fab2115bc2a135acbe59813e2bbb8b41625fd9a
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 6607774b6cdd0a4fc7d559ee108347e9bb0e8508bbaa3dd95aafca2314b4f761
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: cc5b3f66d7cc1e7482fa3eca4fab2115bc2a135acbe59813e2bbb8b41625fd9a
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: AF51C135A046179BCF14DF68C9409BEB7E5BF65720B218269E8B6E72C4DB30DE48C790
                                                                                                                                                                                                                                                                                                                                                                                  Function 00C0372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • CoInitialize.OLE32 ref: 00C03774
                                                                                                                                                                                                                                                                                                                                                                                  • CoUninitialize.OLE32 ref: 00C0377F
                                                                                                                                                                                                                                                                                                                                                                                  • CoCreateInstance.OLE32(?,00000000,00000017,00C1FB78,?), ref: 00C037D9
                                                                                                                                                                                                                                                                                                                                                                                  • IIDFromString.OLE32(?,?), ref: 00C0384C
                                                                                                                                                                                                                                                                                                                                                                                  • VariantInit.OLEAUT32(?), ref: 00C038E4
                                                                                                                                                                                                                                                                                                                                                                                  • VariantClear.OLEAUT32(?), ref: 00C03936
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 636576611-1287834457
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 73fcd004e5f1165d5b55587f6ef330e44a1fc7809c6258e8660bc3929e4c4d05
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 6e25060fa89e8f75c427ba81cf607322fd821582a8ae7b84a8de513d45481ec5
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 73fcd004e5f1165d5b55587f6ef330e44a1fc7809c6258e8660bc3929e4c4d05
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9161CF70608341AFD710DF55C888B6ABBE8FF49714F10499AF9959B2E1C770EE48CB92
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BF8195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • GetLocalTime.KERNEL32(?), ref: 00BF8257
                                                                                                                                                                                                                                                                                                                                                                                  • SystemTimeToFileTime.KERNEL32(?,?), ref: 00BF8267
                                                                                                                                                                                                                                                                                                                                                                                  • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00BF8273
                                                                                                                                                                                                                                                                                                                                                                                  • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00BF8310
                                                                                                                                                                                                                                                                                                                                                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 00BF8324
                                                                                                                                                                                                                                                                                                                                                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 00BF8356
                                                                                                                                                                                                                                                                                                                                                                                  • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00BF838C
                                                                                                                                                                                                                                                                                                                                                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 00BF8395
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: CurrentDirectoryTime$File$Local$System
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: *.*
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 1464919966-438819550
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: eb2b357ab747fc0d10f46ef8ca357d6278960e8973fb0b631ef194aafa4c96a8
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: e7bc9b0dca05d1aa01dbc588b16cb19a769893de928b1be7ae61e0fc8a8d8d9b
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: eb2b357ab747fc0d10f46ef8ca357d6278960e8973fb0b631ef194aafa4c96a8
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C46170715043459FC710EF64C840AAFB3E8FF89314F04899DF99997261DB31E949CB92
                                                                                                                                                                                                                                                                                                                                                                                  Function 00B85BEA Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 184windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • SetWindowLongW.USER32(?,000000EB), ref: 00B85C7A
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00B85D0A: GetClientRect.USER32(?,?), ref: 00B85D30
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00B85D0A: GetWindowRect.USER32(?,?), ref: 00B85D71
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00B85D0A: ScreenToClient.USER32(?,?), ref: 00B85D99
                                                                                                                                                                                                                                                                                                                                                                                  • GetDC.USER32 ref: 00BC46F5
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00BC4708
                                                                                                                                                                                                                                                                                                                                                                                  • SelectObject.GDI32(00000000,00000000), ref: 00BC4716
                                                                                                                                                                                                                                                                                                                                                                                  • SelectObject.GDI32(00000000,00000000), ref: 00BC472B
                                                                                                                                                                                                                                                                                                                                                                                  • ReleaseDC.USER32(?,00000000), ref: 00BC4733
                                                                                                                                                                                                                                                                                                                                                                                  • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00BC47C4
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: @U=u$U
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 4009187628-4110099822
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 9f7370fc52e13a467acb29468affa2d7baac49801770841018bf86de1ca6d68c
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 437bfc88a3f8b8426f5f9f16504a2abe47bd6490fe4d71b1303e6e8c70bfd1a8
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9f7370fc52e13a467acb29468affa2d7baac49801770841018bf86de1ca6d68c
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6371A734400205DFCF219F64C994FEA3BE5FB4A324F1842AAED555A2AAC7309E81DF60
                                                                                                                                                                                                                                                                                                                                                                                  Function 00C18B02 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 149windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00B99BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00B99BB2
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00B9912D: GetCursorPos.USER32(?), ref: 00B99141
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00B9912D: ScreenToClient.USER32(00000000,?), ref: 00B9915E
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00B9912D: GetAsyncKeyState.USER32(00000001), ref: 00B99183
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00B9912D: GetAsyncKeyState.USER32(00000002), ref: 00B9919D
                                                                                                                                                                                                                                                                                                                                                                                  • ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 00C18B6B
                                                                                                                                                                                                                                                                                                                                                                                  • ImageList_EndDrag.COMCTL32 ref: 00C18B71
                                                                                                                                                                                                                                                                                                                                                                                  • ReleaseCapture.USER32 ref: 00C18B77
                                                                                                                                                                                                                                                                                                                                                                                  • SetWindowTextW.USER32(?,00000000), ref: 00C18C12
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00C18C25
                                                                                                                                                                                                                                                                                                                                                                                  • DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 00C18CFF
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: @GUI_DRAGFILE$@GUI_DROPID$@U=u
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 1924731296-2104563098
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 25f3799417bb1e17e662ff4121ded4db18dc8ad2e11110c76621e1d919123b91
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 4d9b115e2e441e62d84b69a87267e3ca98c0445b0fdbf3f73b336ef22acc91c3
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 25f3799417bb1e17e662ff4121ded4db18dc8ad2e11110c76621e1d919123b91
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 77518F74104300AFDB04EF14DC99BAE77E4FB89715F04066DF956672E1CB709A88DBA2
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BF3388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • LoadStringW.USER32(00000066,?,00000FFF,?), ref: 00BF33CF
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00B89CB3: _wcslen.LIBCMT ref: 00B89CBD
                                                                                                                                                                                                                                                                                                                                                                                  • LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00BF33F0
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: LoadString$_wcslen
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 4099089115-3080491070
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 2a5af720e061d29b1707bbaa6c55a1e05e0feb0d64aec421d83b4ac1d35d4848
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: d907c462430fd624e0cc8892bc5030a9a3d89d2c18b0c1839a235305a2d9b122
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2a5af720e061d29b1707bbaa6c55a1e05e0feb0d64aec421d83b4ac1d35d4848
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 09518D7190020AAADF14FBA0CD56EFEB3F8EF15B40F1440A5F505720A2EB256F98DB61
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BEB5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: _wcslen$BuffCharUpper
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: APPEND$EXISTS$KEYS$REMOVE
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 1256254125-769500911
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 9b359e5cd61cc39f31fe5744215c749218f652ad50d7389b249e7de2054de7a7
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: ff69371ae075d06e2232aa9cccd6d46a38c79cd589baaaf746598d6aaccfcade
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9b359e5cd61cc39f31fe5744215c749218f652ad50d7389b249e7de2054de7a7
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4741A472A001679ECB206F7E88909BFF7E5FFA1764B2441A9E465DB284E731CD81C790
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BF5393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • SetErrorMode.KERNEL32(00000001), ref: 00BF53A0
                                                                                                                                                                                                                                                                                                                                                                                  • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00BF5416
                                                                                                                                                                                                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00BF5420
                                                                                                                                                                                                                                                                                                                                                                                  • SetErrorMode.KERNEL32(00000000,READY), ref: 00BF54A7
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: Error$Mode$DiskFreeLastSpace
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 4194297153-14809454
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 416c1cc7f0ee62682ea4bf91ecc64ce4a6712a83c02635dcb5c183eaa2d8dde7
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: ea8fabedc19ca913efaaab9c748e068a965928ddfe31025dcb2b48b9b857ff89
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 416c1cc7f0ee62682ea4bf91ecc64ce4a6712a83c02635dcb5c183eaa2d8dde7
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: EA318175A006099FCB20DF68C484BB9BBF4FB45305F148099E605DB366D771DD8ACBA1
                                                                                                                                                                                                                                                                                                                                                                                  Function 00C13C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • CreateMenu.USER32 ref: 00C13C79
                                                                                                                                                                                                                                                                                                                                                                                  • SetMenu.USER32(?,00000000), ref: 00C13C88
                                                                                                                                                                                                                                                                                                                                                                                  • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00C13D10
                                                                                                                                                                                                                                                                                                                                                                                  • IsMenu.USER32(?), ref: 00C13D24
                                                                                                                                                                                                                                                                                                                                                                                  • CreatePopupMenu.USER32 ref: 00C13D2E
                                                                                                                                                                                                                                                                                                                                                                                  • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00C13D5B
                                                                                                                                                                                                                                                                                                                                                                                  • DrawMenuBar.USER32 ref: 00C13D63
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: Menu$CreateItem$DrawInfoInsertPopup
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: 0$F
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 161812096-3044882817
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: b494e33b7c9b43b9af0b0d5b41244a9f0c54dc8a3fb3d84fc3c694f77ef56c22
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: e3b61773ce9ab901f5d7108123c75939a8d9b2271f9c6d126661aee1c068cfb4
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b494e33b7c9b43b9af0b0d5b41244a9f0c54dc8a3fb3d84fc3c694f77ef56c22
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: BE418C78A01209AFDB14DF64E888BDE77B5FF4A354F144029F916A7360D730AA50DB94
                                                                                                                                                                                                                                                                                                                                                                                  Function 00C12D03 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 95windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • DeleteObject.GDI32(00000000), ref: 00C12D1B
                                                                                                                                                                                                                                                                                                                                                                                  • GetDC.USER32(00000000), ref: 00C12D23
                                                                                                                                                                                                                                                                                                                                                                                  • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00C12D2E
                                                                                                                                                                                                                                                                                                                                                                                  • ReleaseDC.USER32(00000000,00000000), ref: 00C12D3A
                                                                                                                                                                                                                                                                                                                                                                                  • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00C12D76
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00C12D87
                                                                                                                                                                                                                                                                                                                                                                                  • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00C15A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00C12DC2
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00C12DE1
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: @U=u
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 3864802216-2594219639
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: abfce2323ea763d7337238aebb384962d4a89015e9f481f4a18e6bae90e08ea3
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: ca1d234862f33613089ba1f168c3d65a3b5792ce4cb11555c1682d46901902c4
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: abfce2323ea763d7337238aebb384962d4a89015e9f481f4a18e6bae90e08ea3
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: FC317A76241214BFEB258F50DC8AFEB3BA9FF0A715F048055FE089A291C6759D90CBA4
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BE209F Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 71windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • GetParent.USER32 ref: 00BE20AB
                                                                                                                                                                                                                                                                                                                                                                                  • GetClassNameW.USER32(00000000,?,00000100), ref: 00BE20C0
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00BE214D
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: ClassMessageNameParentSend
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: @U=u$SHELLDLL_DefView$details$largeicons$list$smallicons
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 1290815626-1428604138
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 164466e16aa1ba3aaa26ce7b31c6540e843f376e00cf5631443af05f64fa4f9e
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: f456556f30ef00b6fc565e21b38454eb471acee8dc2b5d8f9e1c603c1c92437f
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 164466e16aa1ba3aaa26ce7b31c6540e843f376e00cf5631443af05f64fa4f9e
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: EA1106766C8706BBFA012321EC06EEA37DCEB06324B2000A6FB04B50E2EBA169015615
                                                                                                                                                                                                                                                                                                                                                                                  Function 00C13A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00C13A9D
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00C13AA0
                                                                                                                                                                                                                                                                                                                                                                                  • GetWindowLongW.USER32(?,000000F0), ref: 00C13AC7
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00C13AEA
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00C13B62
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00C13BAC
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00C13BC7
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00C13BE2
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00C13BF6
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00C13C13
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: MessageSend$LongWindow
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 312131281-0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: b2048b10cb350fde390d2c08f7cfa0b9f680cc3f48e9239a80468089c76dcbf9
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: ff152e1ae076420401508b6c5480551bdd3b737a484dc3d287432e8dfa95ec54
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b2048b10cb350fde390d2c08f7cfa0b9f680cc3f48e9239a80468089c76dcbf9
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1E619A75900248AFDB10DFA8CC81FEE77F8EB0A314F140199FA15A72A1D770AE81EB50
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BEB12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 00BEB151
                                                                                                                                                                                                                                                                                                                                                                                  • GetForegroundWindow.USER32(00000000,?,?,?,?,?,00BEA1E1,?,00000001), ref: 00BEB165
                                                                                                                                                                                                                                                                                                                                                                                  • GetWindowThreadProcessId.USER32(00000000), ref: 00BEB16C
                                                                                                                                                                                                                                                                                                                                                                                  • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00BEA1E1,?,00000001), ref: 00BEB17B
                                                                                                                                                                                                                                                                                                                                                                                  • GetWindowThreadProcessId.USER32(?,00000000), ref: 00BEB18D
                                                                                                                                                                                                                                                                                                                                                                                  • AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,00BEA1E1,?,00000001), ref: 00BEB1A6
                                                                                                                                                                                                                                                                                                                                                                                  • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00BEA1E1,?,00000001), ref: 00BEB1B8
                                                                                                                                                                                                                                                                                                                                                                                  • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00BEA1E1,?,00000001), ref: 00BEB1FD
                                                                                                                                                                                                                                                                                                                                                                                  • AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,00BEA1E1,?,00000001), ref: 00BEB212
                                                                                                                                                                                                                                                                                                                                                                                  • AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,00BEA1E1,?,00000001), ref: 00BEB21D
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 2156557900-0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: bd5b85e2b4bec64578bdfa2f5cfc41cdd81a913305f8b4c3b7ea59e30c2f98ce
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 29c075a9bc70fe597d10ffb7cb6ce4bd4dd7f73201e616789ce18ddf8b58db01
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: bd5b85e2b4bec64578bdfa2f5cfc41cdd81a913305f8b4c3b7ea59e30c2f98ce
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A9318D79550384BFDB109F26DC88FAF7BA9FF91352F108045FA01E6190D7B89A808F64
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BB2C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • _free.LIBCMT ref: 00BB2C94
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BB29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00BBD7D1,00000000,00000000,00000000,00000000,?,00BBD7F8,00000000,00000007,00000000,?,00BBDBF5,00000000), ref: 00BB29DE
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BB29C8: GetLastError.KERNEL32(00000000,?,00BBD7D1,00000000,00000000,00000000,00000000,?,00BBD7F8,00000000,00000007,00000000,?,00BBDBF5,00000000,00000000), ref: 00BB29F0
                                                                                                                                                                                                                                                                                                                                                                                  • _free.LIBCMT ref: 00BB2CA0
                                                                                                                                                                                                                                                                                                                                                                                  • _free.LIBCMT ref: 00BB2CAB
                                                                                                                                                                                                                                                                                                                                                                                  • _free.LIBCMT ref: 00BB2CB6
                                                                                                                                                                                                                                                                                                                                                                                  • _free.LIBCMT ref: 00BB2CC1
                                                                                                                                                                                                                                                                                                                                                                                  • _free.LIBCMT ref: 00BB2CCC
                                                                                                                                                                                                                                                                                                                                                                                  • _free.LIBCMT ref: 00BB2CD7
                                                                                                                                                                                                                                                                                                                                                                                  • _free.LIBCMT ref: 00BB2CE2
                                                                                                                                                                                                                                                                                                                                                                                  • _free.LIBCMT ref: 00BB2CED
                                                                                                                                                                                                                                                                                                                                                                                  • _free.LIBCMT ref: 00BB2CFB
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 776569668-0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: a3481386e697263b2d55611c20cb048e9bb8e686fbec11889e2d19a42eb142de
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: e440eda823d8e49cc5b1cf014d9c7f0def2f91da26f75573f3e06e29ceb1f5df
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a3481386e697263b2d55611c20cb048e9bb8e686fbec11889e2d19a42eb142de
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F7114476510108BFCB02EF54D982CED3BA5FF09350F5149A5FA889F722DAB1EE509B90
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BF359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 00BF35E4
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00B89CB3: _wcslen.LIBCMT ref: 00B89CBD
                                                                                                                                                                                                                                                                                                                                                                                  • LoadStringW.USER32(00C52390,?,00000FFF,?), ref: 00BF360A
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: LoadString$_wcslen
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 4099089115-2391861430
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 6f6daa31bb9bfcbe956109bcfbad14fd40865a2455efd11687bd498aa24d4e52
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: b255ab13d61d92d0ffe2f27475febd24785d5f0b2f0dc8c5e5c2dd74043a6abd
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6f6daa31bb9bfcbe956109bcfbad14fd40865a2455efd11687bd498aa24d4e52
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D8513E71800209BADF15FBA0CC96EFDBBB4EF05740F1841A5F605721A1EB315A99DBA1
                                                                                                                                                                                                                                                                                                                                                                                  Function 00C13886 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 141windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00C13925
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(00000000,00001036,00000000,?), ref: 00C1393A
                                                                                                                                                                                                                                                                                                                                                                                  • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00C13954
                                                                                                                                                                                                                                                                                                                                                                                  • _wcslen.LIBCMT ref: 00C13999
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00001057,00000000,?), ref: 00C139C6
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00C139F4
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: MessageSend$Window_wcslen
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: @U=u$SysListView32
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 2147712094-1908207174
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: c3fc515a7a42125294729b216cabb8648abddac82ef86eb727de01a38a7c51ea
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: ff0731c7c53c1f2c784408348821ea037cbdd3c6428979a9a811cbd726cd7821
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c3fc515a7a42125294729b216cabb8648abddac82ef86eb727de01a38a7c51ea
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C041A071A00258ABEF219F64CC49BEE7BA9FF09354F100526F958E72C1D7B19E84DB90
                                                                                                                                                                                                                                                                                                                                                                                  Function 00C12DFD Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 99windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00C12E1C
                                                                                                                                                                                                                                                                                                                                                                                  • GetWindowLongW.USER32(?,000000F0), ref: 00C12E4F
                                                                                                                                                                                                                                                                                                                                                                                  • GetWindowLongW.USER32(?,000000F0), ref: 00C12E84
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00C12EB6
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00C12EE0
                                                                                                                                                                                                                                                                                                                                                                                  • GetWindowLongW.USER32(?,000000F0), ref: 00C12EF1
                                                                                                                                                                                                                                                                                                                                                                                  • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00C12F0B
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: LongWindow$MessageSend
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: @U=u
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 2178440468-2594219639
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 81cb51f9ba654238ddb9cc473dd18c89b19b79748edf6029c124b8ffa51aef82
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 80daa8a0549dce93a6f7d1d81214b7e9aea96ab55654f8bf151c46a8c3ea7044
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 81cb51f9ba654238ddb9cc473dd18c89b19b79748edf6029c124b8ffa51aef82
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A731F4386442509FDB218F58DC88FA937E1FF4B722F194164F9219B2B1CB71ADA1AB41
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BFC253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00BFC272
                                                                                                                                                                                                                                                                                                                                                                                  • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00BFC29A
                                                                                                                                                                                                                                                                                                                                                                                  • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00BFC2CA
                                                                                                                                                                                                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00BFC322
                                                                                                                                                                                                                                                                                                                                                                                  • SetEvent.KERNEL32(?), ref: 00BFC336
                                                                                                                                                                                                                                                                                                                                                                                  • InternetCloseHandle.WININET(00000000), ref: 00BFC341
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 3113390036-3916222277
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 9651352d383e351a1eef5a1cd60173c2f5d4d1dfc35c87675cfab3760dbce769
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 7b2f8eec551a049f78b8bd714e1dc28d10c019324d778e61e04d5b9b9c942d1e
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9651352d383e351a1eef5a1cd60173c2f5d4d1dfc35c87675cfab3760dbce769
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6B316DB164020CAFD7219F648A88BBB7FFCEB4A784B14855EF546D3240DB30DD889B65
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BE989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00BC3AAF,?,?,Bad directive syntax error,00C1CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 00BE98BC
                                                                                                                                                                                                                                                                                                                                                                                  • LoadStringW.USER32(00000000,?,00BC3AAF,?), ref: 00BE98C3
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00B89CB3: _wcslen.LIBCMT ref: 00B89CBD
                                                                                                                                                                                                                                                                                                                                                                                  • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00BE9987
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: HandleLoadMessageModuleString_wcslen
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 858772685-4153970271
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 75c224abcb07db037991d0f66160a3466ec5b9aa9ac16d9dd78e0204f5f8d336
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 698ebefb5d8002b5218b4e00ca533d442e3e3e8fde5c468665af6b3fd4677c96
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 75c224abcb07db037991d0f66160a3466ec5b9aa9ac16d9dd78e0204f5f8d336
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F0218D3294021AABCF15EF90CC46EFE77B5FF19700F0844A9F515620A2EB719A58DB51
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BB8D45 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 02c21190e0109e7c5693fa4bfd119a052ba9652423d10a68a84a64b3d2237a87
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 24327fcc46a3c8b2de507eb5a5c622fe0dc1971e9089d2f2ea73ac127ff2fef8
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 02c21190e0109e7c5693fa4bfd119a052ba9652423d10a68a84a64b3d2237a87
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4FC1BD74A04349AFDB11AFA8D885BFDBBF4AF0A310F1441D9F915A7292CBB09941CB61
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BBCE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: _free$EnvironmentVariable___from_strstr_to_strchr
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 1282221369-0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 85abae3b5d78e9d57597b8002b5783285881acbfc568bcfaf44ab6158a24c4d3
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: eaf7a1037c886952064a80742aea6f9fe0069f9b8dfe1040520b87cbccf637b8
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 85abae3b5d78e9d57597b8002b5783285881acbfc568bcfaf44ab6158a24c4d3
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 63611071A04301ABDB21EFB49891BFE7FE6EF05320F1441EDF944AB282E6B59D458790
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BFC143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00BFC182
                                                                                                                                                                                                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00BFC195
                                                                                                                                                                                                                                                                                                                                                                                  • SetEvent.KERNEL32(?), ref: 00BFC1A9
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BFC253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00BFC272
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BFC253: GetLastError.KERNEL32 ref: 00BFC322
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BFC253: SetEvent.KERNEL32(?), ref: 00BFC336
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BFC253: InternetCloseHandle.WININET(00000000), ref: 00BFC341
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 337547030-0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: e0e28b017134f2a9e131fd34f4d9af327f29560d76fe6d653a07f2089e2026da
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: da857abf3d5abdf15a1f094d57267acc80dbd4f1010f4240a34a5ad9fcf46118
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e0e28b017134f2a9e131fd34f4d9af327f29560d76fe6d653a07f2089e2026da
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D4319C7124060DAFDB219FA5DE84BBABFE8FF19300B00845DFA5683610C730E958DBA0
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BE25A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BE3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00BE3A57
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BE3A3D: GetCurrentThreadId.KERNEL32 ref: 00BE3A5E
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BE3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00BE25B3), ref: 00BE3A65
                                                                                                                                                                                                                                                                                                                                                                                  • MapVirtualKeyW.USER32(00000025,00000000), ref: 00BE25BD
                                                                                                                                                                                                                                                                                                                                                                                  • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00BE25DB
                                                                                                                                                                                                                                                                                                                                                                                  • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 00BE25DF
                                                                                                                                                                                                                                                                                                                                                                                  • MapVirtualKeyW.USER32(00000025,00000000), ref: 00BE25E9
                                                                                                                                                                                                                                                                                                                                                                                  • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00BE2601
                                                                                                                                                                                                                                                                                                                                                                                  • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00BE2605
                                                                                                                                                                                                                                                                                                                                                                                  • MapVirtualKeyW.USER32(00000025,00000000), ref: 00BE260F
                                                                                                                                                                                                                                                                                                                                                                                  • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00BE2623
                                                                                                                                                                                                                                                                                                                                                                                  • Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00BE2627
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 2014098862-0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 8bccffd772cc7cb2be83cfaccce0be7c6ee3f944e6ca9a15afd0b8c15818f1ca
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 07c8fa235cb1710b5d3a5fd3e640f25fdef4c3068b0b4912da600e9316f8a9fd
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8bccffd772cc7cb2be83cfaccce0be7c6ee3f944e6ca9a15afd0b8c15818f1ca
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1101B1302D0354BBFB1067699CCAF9D3E99EB4AB12F204011F318AF0D1CAE224448A69
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BE1803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00BE1449,?,?,00000000), ref: 00BE180C
                                                                                                                                                                                                                                                                                                                                                                                  • HeapAlloc.KERNEL32(00000000,?,00BE1449,?,?,00000000), ref: 00BE1813
                                                                                                                                                                                                                                                                                                                                                                                  • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00BE1449,?,?,00000000), ref: 00BE1828
                                                                                                                                                                                                                                                                                                                                                                                  • GetCurrentProcess.KERNEL32(?,00000000,?,00BE1449,?,?,00000000), ref: 00BE1830
                                                                                                                                                                                                                                                                                                                                                                                  • DuplicateHandle.KERNEL32(00000000,?,00BE1449,?,?,00000000), ref: 00BE1833
                                                                                                                                                                                                                                                                                                                                                                                  • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00BE1449,?,?,00000000), ref: 00BE1843
                                                                                                                                                                                                                                                                                                                                                                                  • GetCurrentProcess.KERNEL32(00BE1449,00000000,?,00BE1449,?,?,00000000), ref: 00BE184B
                                                                                                                                                                                                                                                                                                                                                                                  • DuplicateHandle.KERNEL32(00000000,?,00BE1449,?,?,00000000), ref: 00BE184E
                                                                                                                                                                                                                                                                                                                                                                                  • CreateThread.KERNEL32(00000000,00000000,00BE1874,00000000,00000000,00000000), ref: 00BE1868
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 1957940570-0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: f01e0482adf484454f1c388332f5506d0e9beeafa785d7849ce20cc1e230fc36
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 9395b4ba4462300140161c10e35c7747828c1cb4bab674be2d2aaf457e616960
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f01e0482adf484454f1c388332f5506d0e9beeafa785d7849ce20cc1e230fc36
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6D01ACB52C0344BFE610AB65DC89F9F7BACFB8AB11F508411FA05DB1A1C67098118B20
                                                                                                                                                                                                                                                                                                                                                                                  Function 00C0A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BED4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 00BED501
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BED4DC: Process32FirstW.KERNEL32(00000000,?), ref: 00BED50F
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BED4DC: CloseHandle.KERNEL32(00000000), ref: 00BED5DC
                                                                                                                                                                                                                                                                                                                                                                                  • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00C0A16D
                                                                                                                                                                                                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00C0A180
                                                                                                                                                                                                                                                                                                                                                                                  • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00C0A1B3
                                                                                                                                                                                                                                                                                                                                                                                  • TerminateProcess.KERNEL32(00000000,00000000), ref: 00C0A268
                                                                                                                                                                                                                                                                                                                                                                                  • GetLastError.KERNEL32(00000000), ref: 00C0A273
                                                                                                                                                                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 00C0A2C4
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: SeDebugPrivilege
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 2533919879-2896544425
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: c3e18f872c9b214566c515e03fa33c570efc497365897d275e823ce0b14d5fdd
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: c6a76f5027733c5eeffd8f9eefe105df56b582926047f521c62cc35eb45315b9
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c3e18f872c9b214566c515e03fa33c570efc497365897d275e823ce0b14d5fdd
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: CC617B70208342AFD720DF19C494F5ABBE1AF54318F14849CE46A8B7A3C776ED49CB92
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BEBC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00BEBCFD
                                                                                                                                                                                                                                                                                                                                                                                  • IsMenu.USER32(00000000), ref: 00BEBD1D
                                                                                                                                                                                                                                                                                                                                                                                  • CreatePopupMenu.USER32 ref: 00BEBD53
                                                                                                                                                                                                                                                                                                                                                                                  • GetMenuItemCount.USER32(011B5330), ref: 00BEBDA4
                                                                                                                                                                                                                                                                                                                                                                                  • InsertMenuItemW.USER32(011B5330,?,00000001,00000030), ref: 00BEBDCC
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: Menu$Item$CountCreateInfoInsertPopup
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: 0$2
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 93392585-3793063076
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: f174e8168313a8bc17210f658a10536df78d3c5e4eb742942a914ac476603225
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 2a75ae57ea05cefa351ebb5760fa23c39907040913a8e49b2f4b900d6355839d
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f174e8168313a8bc17210f658a10536df78d3c5e4eb742942a914ac476603225
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 22519D70A042899BDB10CFAADCC4FAFBBF5FF45314F2482A9E41197290D7709941CB51
                                                                                                                                                                                                                                                                                                                                                                                  Function 00C181DB Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,00BDF3AB,00000000,?,?,00000000,?,00BD682C,00000004,00000000,00000000), ref: 00C1824C
                                                                                                                                                                                                                                                                                                                                                                                  • EnableWindow.USER32(?,00000000), ref: 00C18272
                                                                                                                                                                                                                                                                                                                                                                                  • ShowWindow.USER32(FFFFFFFF,00000000), ref: 00C182D1
                                                                                                                                                                                                                                                                                                                                                                                  • ShowWindow.USER32(?,00000004), ref: 00C182E5
                                                                                                                                                                                                                                                                                                                                                                                  • EnableWindow.USER32(?,00000001), ref: 00C1830B
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 00C1832F
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: Window$Show$Enable$MessageSend
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: @U=u
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 642888154-2594219639
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 374af01dfa0c99e2467931502ec73d710008328295437b6a4a42fdd3f6648e95
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 2ba9408783e1d7bbc4545693bce0670055745a95b03625ac61c0f3cb3ceede0b
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 374af01dfa0c99e2467931502ec73d710008328295437b6a4a42fdd3f6648e95
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5E41C374605640AFDF22CF14C899BE87BE0BB0B715F1C4168F9285B2B2CB71AD89DB40
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BE4C7D Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 87windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • IsWindowVisible.USER32(?), ref: 00BE4C95
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00BE4CB2
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00BE4CEA
                                                                                                                                                                                                                                                                                                                                                                                  • _wcslen.LIBCMT ref: 00BE4D08
                                                                                                                                                                                                                                                                                                                                                                                  • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00BE4D10
                                                                                                                                                                                                                                                                                                                                                                                  • _wcsstr.LIBVCRUNTIME ref: 00BE4D1A
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: @U=u
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 72514467-2594219639
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: d0f49c5e8a6a6a4679e314de4e420f44f911a23c3e061e7ebae4bbb0ca4cc052
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 348fe2bb33aec980f379e6fe6661f55c2ebbc72885b311a8c5ed9f12fa295b5c
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d0f49c5e8a6a6a4679e314de4e420f44f911a23c3e061e7ebae4bbb0ca4cc052
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F121A771604245BBEB155B2A9C89F7F7BDCDF46750F10C0B9F805CA191DB61DC4196A0
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BEC874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • LoadIconW.USER32(00000000,00007F03), ref: 00BEC913
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: IconLoad
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: blank$info$question$stop$warning
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 2457776203-404129466
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 79e2184888d07f3b544c94cb462c6ac41d14fbb7f9931f1b3dd4bb0b4f88ab6b
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: ceca26ebe85ffd54b989e1a35bb52bd537bbd8475b96e6ef9f4c38db769145e4
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 79e2184888d07f3b544c94cb462c6ac41d14fbb7f9931f1b3dd4bb0b4f88ab6b
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: AF113A3668D346BAE7029B15DCC3DAE2BDCEF16315B2000BAF500A62C3E7B49E015269
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BD7439 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 37windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • GetClientRect.USER32(?), ref: 00BD7452
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00001328,00000000,?), ref: 00BD7469
                                                                                                                                                                                                                                                                                                                                                                                  • GetWindowDC.USER32(?), ref: 00BD7475
                                                                                                                                                                                                                                                                                                                                                                                  • GetPixel.GDI32(00000000,?,?), ref: 00BD7484
                                                                                                                                                                                                                                                                                                                                                                                  • ReleaseDC.USER32(?,00000000), ref: 00BD7496
                                                                                                                                                                                                                                                                                                                                                                                  • GetSysColor.USER32(00000005), ref: 00BD74B0
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: ClientColorMessagePixelRectReleaseSendWindow
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: @U=u
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 272304278-2594219639
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 0ea15a57500daed46a48d42eaf8b2fa201a38a0d76a2da400a863997ae1638db
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 78ff3d0548ffaec4133e4f915c6c3329923a842cd4dd22cee41feb55870bfb11
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0ea15a57500daed46a48d42eaf8b2fa201a38a0d76a2da400a863997ae1638db
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D3018B31480215EFDB515F64DC88BEEBBB6FB05311F6080A4F916A22A0DF311E41EF10
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BEED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: _wcslen$LocalTime
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 952045576-0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 951986eeda6691345538377bce7251174a6fe25176c541aaf7cd5ea49e6b56e9
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: d02571f72f511ab615bc5c5289ede6a678bf4e426ac2d177e1edc6d10c8b0b59
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 951986eeda6691345538377bce7251174a6fe25176c541aaf7cd5ea49e6b56e9
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B5419365C10258B9CB11EBF5CC8AACFB7ECAF46710F5084A6E524E3121FB34E655C3A5
                                                                                                                                                                                                                                                                                                                                                                                  Function 00B9F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00BD682C,00000004,00000000,00000000), ref: 00B9F953
                                                                                                                                                                                                                                                                                                                                                                                  • ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,00BD682C,00000004,00000000,00000000), ref: 00BDF3D1
                                                                                                                                                                                                                                                                                                                                                                                  • ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00BD682C,00000004,00000000,00000000), ref: 00BDF454
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: ShowWindow
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 1268545403-0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 1bf88ef85ab782857ebe5533edaa9c84bcdcf158c779c48de63d5e03bcb45bde
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: c5860d8a2db1dad9d910015bbc468f667c834cfacf470f5136fb65f79e9035d0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1bf88ef85ab782857ebe5533edaa9c84bcdcf158c779c48de63d5e03bcb45bde
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0C41E931618642BACF399B2988C877ABBD2FB57334F1484BDF447D6660D671E880CB51
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BE5622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: _memcmp
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 2931989736-0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: dca1d181f0979f52df83c029316c3f4c0ba3dd60490d4d032a17d44e0799cf3d
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: bf2b3b1142c0ad39a3cb0a6feb05bf23083984fec52b8e21a0a55a63dd74135b
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: dca1d181f0979f52df83c029316c3f4c0ba3dd60490d4d032a17d44e0799cf3d
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: BD21C561644A497FD6349E268EA2FFF23DCEE22388F4400B4FD059A581F760ED1191E9
                                                                                                                                                                                                                                                                                                                                                                                  Function 00C04FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: NULL Pointer assignment$Not an Object type
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 0-572801152
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 3d7c6996f932c16bf3b883333a11e3aa0057f874a1bb643e8d8e9696c5c5ed38
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: f1b033edf937c3076e44e22f40ace926d17c8f00db7ae1b9e1b6675430c12250
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3d7c6996f932c16bf3b883333a11e3aa0057f874a1bb643e8d8e9696c5c5ed38
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 59D1B175A0060A9FDF10CFA8C881BAEB7B5FF48354F148069E925AB291E770DE45CF90
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BC1522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,00BC17FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 00BC15CE
                                                                                                                                                                                                                                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00BC17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00BC1651
                                                                                                                                                                                                                                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00BC17FB,?,00BC17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00BC16E4
                                                                                                                                                                                                                                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00BC17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00BC16FB
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BB3820: RtlAllocateHeap.NTDLL(00000000,?,00C51444,?,00B9FDF5,?,?,00B8A976,00000010,00C51440,00B813FC,?,00B813C6,?,00B81129), ref: 00BB3852
                                                                                                                                                                                                                                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,00BC17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00BC1777
                                                                                                                                                                                                                                                                                                                                                                                  • __freea.LIBCMT ref: 00BC17A2
                                                                                                                                                                                                                                                                                                                                                                                  • __freea.LIBCMT ref: 00BC17AE
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 2829977744-0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 70836a14f2a8cdf459fefb1f9f2d0143e1119c77dd1c9cecd2fbf3a0eae8e174
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 53cc0fa382ef81df9ac5c07d1f3c06bc9e967202f119ee23b8acba3ed74ee38f
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 70836a14f2a8cdf459fefb1f9f2d0143e1119c77dd1c9cecd2fbf3a0eae8e174
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 67918171E102169ADB208E68C891FEE7BF5EF5A710F184AAEE811F7142D735DD408BA0
                                                                                                                                                                                                                                                                                                                                                                                  Function 00C04523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: Variant$ClearInit
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 2610073882-625585964
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: c3e282a45886d586ccda179101807d70691653f603cd7240845381b7c2703d0a
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: cb20ee2413e1639a9880db5874c07468b98c6c58f45a9fb921461412e828103b
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c3e282a45886d586ccda179101807d70691653f603cd7240845381b7c2703d0a
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: BE9162B1A00215ABDF28CFA5C844FAF7BB8EF46714F108559F615AB281D7709945CFA0
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BF1187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 00BF125C
                                                                                                                                                                                                                                                                                                                                                                                  • SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00BF1284
                                                                                                                                                                                                                                                                                                                                                                                  • SafeArrayUnaccessData.OLEAUT32(00000001), ref: 00BF12A8
                                                                                                                                                                                                                                                                                                                                                                                  • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00BF12D8
                                                                                                                                                                                                                                                                                                                                                                                  • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00BF135F
                                                                                                                                                                                                                                                                                                                                                                                  • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00BF13C4
                                                                                                                                                                                                                                                                                                                                                                                  • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00BF1430
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: ArraySafe$Data$Access$UnaccessVartype
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 2550207440-0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 1c59072a50edce7de3595269ed0d241db4e4d40d177d75e76ca20b7578a35dd7
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 1386a37e317e40d8921141c5dd7cfebe113f3ff7238145499a2253476358d877
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1c59072a50edce7de3595269ed0d241db4e4d40d177d75e76ca20b7578a35dd7
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A391B171A00209EFDB00DF98D885BBEB7F5FF45325F1088A9E610EB291D774A949CB90
                                                                                                                                                                                                                                                                                                                                                                                  Function 00B9948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: ObjectSelect$BeginCreatePath
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 3225163088-0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: c0d77106f61b9dcc606d5448a8cf47e73df0dbd64413d0267635888a50b617a2
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 43177dc97832ac22848ea53c376f921c4fe7fc8b3a10b3f53ca927e4fb69875d
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c0d77106f61b9dcc606d5448a8cf47e73df0dbd64413d0267635888a50b617a2
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 38912671940219EFCF50CFA9C884AEEBBB8FF49320F15809AE515B7251D774A942CB60
                                                                                                                                                                                                                                                                                                                                                                                  Function 00C03947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • VariantInit.OLEAUT32(?), ref: 00C0396B
                                                                                                                                                                                                                                                                                                                                                                                  • CharUpperBuffW.USER32(?,?), ref: 00C03A7A
                                                                                                                                                                                                                                                                                                                                                                                  • _wcslen.LIBCMT ref: 00C03A8A
                                                                                                                                                                                                                                                                                                                                                                                  • VariantClear.OLEAUT32(?), ref: 00C03C1F
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BF0CDF: VariantInit.OLEAUT32(00000000), ref: 00BF0D1F
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BF0CDF: VariantCopy.OLEAUT32(?,?), ref: 00BF0D28
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BF0CDF: VariantClear.OLEAUT32(?), ref: 00BF0D34
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 4137639002-1221869570
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: d9eba42a71b5f74c892407f930d6286ce7230e4d66b685c7645744ad5bf0b275
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 6788224923eddaab8c9f5aca07e926ac8f94ced427919c64082d4982dffa909b
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d9eba42a71b5f74c892407f930d6286ce7230e4d66b685c7645744ad5bf0b275
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0E917B746083459FCB04EF64C48096AB7E8FF89714F14896DF89A9B391DB30EE45CB92
                                                                                                                                                                                                                                                                                                                                                                                  Function 00C04BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BE000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00BDFF41,80070057,?,?,?,00BE035E), ref: 00BE002B
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BE000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00BDFF41,80070057,?,?), ref: 00BE0046
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BE000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00BDFF41,80070057,?,?), ref: 00BE0054
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BE000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00BDFF41,80070057,?), ref: 00BE0064
                                                                                                                                                                                                                                                                                                                                                                                  • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00C04C51
                                                                                                                                                                                                                                                                                                                                                                                  • _wcslen.LIBCMT ref: 00C04D59
                                                                                                                                                                                                                                                                                                                                                                                  • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00C04DCF
                                                                                                                                                                                                                                                                                                                                                                                  • CoTaskMemFree.OLE32(?), ref: 00C04DDA
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: NULL Pointer assignment
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 614568839-2785691316
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 6e3f2bd55bcd7d162fac965c8ccd2e267b1732dcbc5109b933b53341fa976b5f
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: b35f3e4cca367000cc1317fba213fee67eba2ec61db3de70216081efbc0a97f4
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6e3f2bd55bcd7d162fac965c8ccd2e267b1732dcbc5109b933b53341fa976b5f
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 899109B1D0021D9FDF14EFA4C891AEEB7B9BF08310F1081AAE525B7291DB709A45CF60
                                                                                                                                                                                                                                                                                                                                                                                  Function 00C120FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • GetMenu.USER32(?), ref: 00C12183
                                                                                                                                                                                                                                                                                                                                                                                  • GetMenuItemCount.USER32(00000000), ref: 00C121B5
                                                                                                                                                                                                                                                                                                                                                                                  • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00C121DD
                                                                                                                                                                                                                                                                                                                                                                                  • _wcslen.LIBCMT ref: 00C12213
                                                                                                                                                                                                                                                                                                                                                                                  • GetMenuItemID.USER32(?,?), ref: 00C1224D
                                                                                                                                                                                                                                                                                                                                                                                  • GetSubMenu.USER32(?,?), ref: 00C1225B
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BE3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00BE3A57
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BE3A3D: GetCurrentThreadId.KERNEL32 ref: 00BE3A5E
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BE3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00BE25B3), ref: 00BE3A65
                                                                                                                                                                                                                                                                                                                                                                                  • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00C122E3
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BEE97B: Sleep.KERNEL32 ref: 00BEE9F3
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 4196846111-0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 506ee94f515e39835012abf769432fb947602c42d97a2aef5919ad3f85a9e3ef
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: bd1081595b7c9fe260d34a961ae35e5956cfbb63a66740022d5e8ca39427ce02
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 506ee94f515e39835012abf769432fb947602c42d97a2aef5919ad3f85a9e3ef
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 75719179A00205AFCB10DF65C845AEEB7F5FF49320F148498E826EB351D734EE819B90
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BEAEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • GetParent.USER32(?), ref: 00BEAEF9
                                                                                                                                                                                                                                                                                                                                                                                  • GetKeyboardState.USER32(?), ref: 00BEAF0E
                                                                                                                                                                                                                                                                                                                                                                                  • SetKeyboardState.USER32(?), ref: 00BEAF6F
                                                                                                                                                                                                                                                                                                                                                                                  • PostMessageW.USER32(?,00000101,00000010,?), ref: 00BEAF9D
                                                                                                                                                                                                                                                                                                                                                                                  • PostMessageW.USER32(?,00000101,00000011,?), ref: 00BEAFBC
                                                                                                                                                                                                                                                                                                                                                                                  • PostMessageW.USER32(?,00000101,00000012,?), ref: 00BEAFFD
                                                                                                                                                                                                                                                                                                                                                                                  • PostMessageW.USER32(?,00000101,0000005B,?), ref: 00BEB020
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: MessagePost$KeyboardState$Parent
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 87235514-0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 17bd443c82e0d4cc942189a45f14f1a61ec293d5039347005d06b7edb36bafb6
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 9bf178071333cddf206678d5fb6fd82e779b5718f67545b3b84a27283177548e
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 17bd443c82e0d4cc942189a45f14f1a61ec293d5039347005d06b7edb36bafb6
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0C51AEA06046D53DFB3683368845BBBBEE99B06304F0885C9F1D9958D3C398F888D791
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BEACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • GetParent.USER32(00000000), ref: 00BEAD19
                                                                                                                                                                                                                                                                                                                                                                                  • GetKeyboardState.USER32(?), ref: 00BEAD2E
                                                                                                                                                                                                                                                                                                                                                                                  • SetKeyboardState.USER32(?), ref: 00BEAD8F
                                                                                                                                                                                                                                                                                                                                                                                  • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00BEADBB
                                                                                                                                                                                                                                                                                                                                                                                  • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00BEADD8
                                                                                                                                                                                                                                                                                                                                                                                  • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00BEAE17
                                                                                                                                                                                                                                                                                                                                                                                  • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00BEAE38
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: MessagePost$KeyboardState$Parent
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 87235514-0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: fbf8eb94ff21cb73487f06409bdd2a6409e1eabc91d9849129ea8f360a5bbaf8
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: e6178ba3737a60feb602d39ae8bf73bf5befe46a039e91df6d6da45d48b73822
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: fbf8eb94ff21cb73487f06409bdd2a6409e1eabc91d9849129ea8f360a5bbaf8
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0851D1A15047D53DFB3282268C95BBABEEDAF46300F1885D8F1D5568C2C394FC98D762
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BB542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • GetConsoleCP.KERNEL32(00BC3CD6,?,?,?,?,?,?,?,?,00BB5BA3,?,?,00BC3CD6,?,?), ref: 00BB5470
                                                                                                                                                                                                                                                                                                                                                                                  • __fassign.LIBCMT ref: 00BB54EB
                                                                                                                                                                                                                                                                                                                                                                                  • __fassign.LIBCMT ref: 00BB5506
                                                                                                                                                                                                                                                                                                                                                                                  • WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00BC3CD6,00000005,00000000,00000000), ref: 00BB552C
                                                                                                                                                                                                                                                                                                                                                                                  • WriteFile.KERNEL32(?,00BC3CD6,00000000,00BB5BA3,00000000,?,?,?,?,?,?,?,?,?,00BB5BA3,?), ref: 00BB554B
                                                                                                                                                                                                                                                                                                                                                                                  • WriteFile.KERNEL32(?,?,00000001,00BB5BA3,00000000,?,?,?,?,?,?,?,?,?,00BB5BA3,?), ref: 00BB5584
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 1324828854-0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: fcfdba36153b4d2fce44cf987d83800e4b1bb2b4a289e60d5ec8848f9d5258c6
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 5fd3e1657363bf93e5ce1f3c98c4309321f2d05004bf565d7b3d889bf24b040a
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: fcfdba36153b4d2fce44cf987d83800e4b1bb2b4a289e60d5ec8848f9d5258c6
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: FD51D371A00648AFDB20CFA8D881BFEBBF9EF19301F14419AF555E7291D7B09A41CB61
                                                                                                                                                                                                                                                                                                                                                                                  Function 00C16B76 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 131windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • SetWindowLongW.USER32(00000002,000000F0,?), ref: 00C16C33
                                                                                                                                                                                                                                                                                                                                                                                  • SetWindowLongW.USER32(?,000000EC,?), ref: 00C16C4A
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00C16C73
                                                                                                                                                                                                                                                                                                                                                                                  • ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,00BFAB79,00000000,00000000), ref: 00C16C98
                                                                                                                                                                                                                                                                                                                                                                                  • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00C16CC7
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: Window$Long$MessageSendShow
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: @U=u
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 3688381893-2594219639
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 4e2d9070a40320ceabbe18c371e38459a5a37ad6a4f30a06e6dd477e0faf3ae1
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: fd3229eca785378ddd9154df8e7d8ea4878e3fc05759328a5e5c8812c4e2e790
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4e2d9070a40320ceabbe18c371e38459a5a37ad6a4f30a06e6dd477e0faf3ae1
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4E41B935604104AFD724CF29CC68FE97BA5EB0B350F154258FDA5A72E0D771EE81EA90
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BA2D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • _ValidateLocalCookies.LIBCMT ref: 00BA2D4B
                                                                                                                                                                                                                                                                                                                                                                                  • ___except_validate_context_record.LIBVCRUNTIME ref: 00BA2D53
                                                                                                                                                                                                                                                                                                                                                                                  • _ValidateLocalCookies.LIBCMT ref: 00BA2DE1
                                                                                                                                                                                                                                                                                                                                                                                  • __IsNonwritableInCurrentImage.LIBCMT ref: 00BA2E0C
                                                                                                                                                                                                                                                                                                                                                                                  • _ValidateLocalCookies.LIBCMT ref: 00BA2E61
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: csm
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 1170836740-1018135373
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: a1b34cec62deafe560d7154736acab34ce4a806fad72426f11aa4caff2752222
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: e87612afbbc5a2c586f57407a3d4b02216dadcf71b4db5a925c7e7c0b5599b3a
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a1b34cec62deafe560d7154736acab34ce4a806fad72426f11aa4caff2752222
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8E41A134A08209ABCF10DF6CC885A9EBBF5FF46324F1481A5F8156B392D735EA15CB90
                                                                                                                                                                                                                                                                                                                                                                                  Function 00C010B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00C0304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00C0307A
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00C0304E: _wcslen.LIBCMT ref: 00C0309B
                                                                                                                                                                                                                                                                                                                                                                                  • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00C01112
                                                                                                                                                                                                                                                                                                                                                                                  • WSAGetLastError.WSOCK32 ref: 00C01121
                                                                                                                                                                                                                                                                                                                                                                                  • WSAGetLastError.WSOCK32 ref: 00C011C9
                                                                                                                                                                                                                                                                                                                                                                                  • closesocket.WSOCK32(00000000), ref: 00C011F9
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 2675159561-0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: aef970fbcc94a0819c6f20981ad9f6f6ed32ecff9336cd0e69e090b50fb85f0f
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: ad45c3ab10acbac094e4f55e3eb1dcf65463145ea2c5a3dc5d71bd9fb6992588
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: aef970fbcc94a0819c6f20981ad9f6f6ed32ecff9336cd0e69e090b50fb85f0f
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A341B171600204AFEB149F14C884BAEBBE9FF45328F188059FD159B2D2C770AE41CBE1
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BECF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BEDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00BECF22,?), ref: 00BEDDFD
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BEDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00BECF22,?), ref: 00BEDE16
                                                                                                                                                                                                                                                                                                                                                                                  • lstrcmpiW.KERNEL32(?,?), ref: 00BECF45
                                                                                                                                                                                                                                                                                                                                                                                  • MoveFileW.KERNEL32(?,?), ref: 00BECF7F
                                                                                                                                                                                                                                                                                                                                                                                  • _wcslen.LIBCMT ref: 00BED005
                                                                                                                                                                                                                                                                                                                                                                                  • _wcslen.LIBCMT ref: 00BED01B
                                                                                                                                                                                                                                                                                                                                                                                  • SHFileOperationW.SHELL32(?), ref: 00BED061
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: \*.*
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 3164238972-1173974218
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: f025bf6f1ffe0751ac83d938d37a7ca933f0bd960074e18dbb83af326e1338e9
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: cc8c148fd19376bdff8bf3193bde9ec349e0e66ae4cba15ba69e9a989af503a5
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f025bf6f1ffe0751ac83d938d37a7ca933f0bd960074e18dbb83af326e1338e9
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 244156719452585FDF12EBA5C981BDEB7F9EF09380F0000E6E509EB142EB74E689CB50
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BE7726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00BE7769
                                                                                                                                                                                                                                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00BE778F
                                                                                                                                                                                                                                                                                                                                                                                  • SysAllocString.OLEAUT32(00000000), ref: 00BE7792
                                                                                                                                                                                                                                                                                                                                                                                  • SysAllocString.OLEAUT32(?), ref: 00BE77B0
                                                                                                                                                                                                                                                                                                                                                                                  • SysFreeString.OLEAUT32(?), ref: 00BE77B9
                                                                                                                                                                                                                                                                                                                                                                                  • StringFromGUID2.OLE32(?,?,00000028), ref: 00BE77DE
                                                                                                                                                                                                                                                                                                                                                                                  • SysAllocString.OLEAUT32(?), ref: 00BE77EC
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 3761583154-0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 928c0ba9da1abcf38d86928c8ed7f38a6d628ea17b88a5cc057b715136ed4fe8
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 806f342d9d20fbce25f260c3dcc737c1dac2c893175174726cd75fa8e471f617
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 928c0ba9da1abcf38d86928c8ed7f38a6d628ea17b88a5cc057b715136ed4fe8
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: BB217C76648219AFDB109FA9CC88EFB77ECEB0A7647148065BA15DB190DB70DC4287A0
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BE77FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00BE7842
                                                                                                                                                                                                                                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00BE7868
                                                                                                                                                                                                                                                                                                                                                                                  • SysAllocString.OLEAUT32(00000000), ref: 00BE786B
                                                                                                                                                                                                                                                                                                                                                                                  • SysAllocString.OLEAUT32 ref: 00BE788C
                                                                                                                                                                                                                                                                                                                                                                                  • SysFreeString.OLEAUT32 ref: 00BE7895
                                                                                                                                                                                                                                                                                                                                                                                  • StringFromGUID2.OLE32(?,?,00000028), ref: 00BE78AF
                                                                                                                                                                                                                                                                                                                                                                                  • SysAllocString.OLEAUT32(?), ref: 00BE78BD
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 3761583154-0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 32be0a2d4ca1d9a3632e70d6c9a0f6c1b388287ea9fb095cc83603b74e2cb35e
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 6345198c9c255958cc086a817e1e8e65ed62d40c8ea268c94de03b633e0f3fc3
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 32be0a2d4ca1d9a3632e70d6c9a0f6c1b388287ea9fb095cc83603b74e2cb35e
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4B21AC31648214AFAB10ABAACCCCEBA77ECFB193607108165F914CB2A0DB74DC41CB64
                                                                                                                                                                                                                                                                                                                                                                                  Function 00C15706 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 82windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00001053,000000FF,?), ref: 00C15745
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00001074,?,00000001), ref: 00C1579D
                                                                                                                                                                                                                                                                                                                                                                                  • _wcslen.LIBCMT ref: 00C157AF
                                                                                                                                                                                                                                                                                                                                                                                  • _wcslen.LIBCMT ref: 00C157BA
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00001002,00000000,?), ref: 00C15816
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: MessageSend$_wcslen
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: @U=u
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 763830540-2594219639
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 0fd1bbc9a8637c67db484d119425a2a6fe11533cb6ebab012d3fab79213c6f50
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: be8e43f57eb9219b3489c410df7c5d1ee2c52efba586f700e14a419b6185f439
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0fd1bbc9a8637c67db484d119425a2a6fe11533cb6ebab012d3fab79213c6f50
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9B21B475904618DADB209FA1CC85AEEB7B8FF86324F108256F929EB1C0D7708AC5DF50
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BF04D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • GetStdHandle.KERNEL32(0000000C), ref: 00BF04F2
                                                                                                                                                                                                                                                                                                                                                                                  • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00BF052E
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: CreateHandlePipe
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: nul
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 1424370930-2873401336
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 3d78252947e11fecaa362f1155908d4d0ff8e1c5d3bec28271c1e824f4a1cce2
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: ebc620b22f5209dd93484f9d4ec9a0a6cadb1d6f183e8161938453830e9108d4
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3d78252947e11fecaa362f1155908d4d0ff8e1c5d3bec28271c1e824f4a1cce2
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 05216F71510209ABDB20AF29D884BAA77E4FF55724F204A59F9A1971F2D7B09944CF20
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BF05A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • GetStdHandle.KERNEL32(000000F6), ref: 00BF05C6
                                                                                                                                                                                                                                                                                                                                                                                  • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00BF0601
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: CreateHandlePipe
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: nul
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 1424370930-2873401336
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 7c1d70c6ea5afc04fe5f106ae93928114dec2dfdbb814d8d8e676909d3a49c74
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 79726cf14e3361e21eb0c0e200c3efbb3a576a8c0119996b3fc011186c945d8a
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7c1d70c6ea5afc04fe5f106ae93928114dec2dfdbb814d8d8e676909d3a49c74
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C821D675510319ABDB20AF688C44BAA77E4FF95720F204A59FAA1D72F1D7B09854CB10
                                                                                                                                                                                                                                                                                                                                                                                  Function 00C140AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00B8600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00B8604C
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00B8600E: GetStockObject.GDI32(00000011), ref: 00B86060
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00B8600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00B8606A
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00C14112
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00C1411F
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00C1412A
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00C14139
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00C14145
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: MessageSend$CreateObjectStockWindow
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: Msctls_Progress32
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 1025951953-3636473452
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 6e461a0038326dadd0d2329b192aab96ca9cf4890bad62b92a118223b096e864
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: a504224efad4740dd3eeb3be99ec10c7ee7f52851caa4b7dbdfdfc77f43319bb
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6e461a0038326dadd0d2329b192aab96ca9cf4890bad62b92a118223b096e864
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5F11B2B2140219BEEF119F64CC85EEB7FADEF09798F114110FA18A6090C7729C61DBA4
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BBD7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BBD7A3: _free.LIBCMT ref: 00BBD7CC
                                                                                                                                                                                                                                                                                                                                                                                  • _free.LIBCMT ref: 00BBD82D
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BB29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00BBD7D1,00000000,00000000,00000000,00000000,?,00BBD7F8,00000000,00000007,00000000,?,00BBDBF5,00000000), ref: 00BB29DE
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BB29C8: GetLastError.KERNEL32(00000000,?,00BBD7D1,00000000,00000000,00000000,00000000,?,00BBD7F8,00000000,00000007,00000000,?,00BBDBF5,00000000,00000000), ref: 00BB29F0
                                                                                                                                                                                                                                                                                                                                                                                  • _free.LIBCMT ref: 00BBD838
                                                                                                                                                                                                                                                                                                                                                                                  • _free.LIBCMT ref: 00BBD843
                                                                                                                                                                                                                                                                                                                                                                                  • _free.LIBCMT ref: 00BBD897
                                                                                                                                                                                                                                                                                                                                                                                  • _free.LIBCMT ref: 00BBD8A2
                                                                                                                                                                                                                                                                                                                                                                                  • _free.LIBCMT ref: 00BBD8AD
                                                                                                                                                                                                                                                                                                                                                                                  • _free.LIBCMT ref: 00BBD8B8
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 776569668-0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 830f03e8a2cd74caf6fafb0d028b89078f525b0d8e42537efb510c1384adc470
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5D112E71540B04BBD621BFB1CC47FEB7BDCAF04700F404C65B29DA6592EAE9B9058660
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BEDA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00BEDA74
                                                                                                                                                                                                                                                                                                                                                                                  • LoadStringW.USER32(00000000), ref: 00BEDA7B
                                                                                                                                                                                                                                                                                                                                                                                  • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00BEDA91
                                                                                                                                                                                                                                                                                                                                                                                  • LoadStringW.USER32(00000000), ref: 00BEDA98
                                                                                                                                                                                                                                                                                                                                                                                  • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00BEDADC
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  • %s (%d) : ==> %s: %s %s, xrefs: 00BEDAB9
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: HandleLoadModuleString$Message
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: %s (%d) : ==> %s: %s %s
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 4072794657-3128320259
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 4abb3889c4125565461111660cfcd7218bee8f80207333fd17e97b73200f3464
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: d3d0e42ce7efbb7522a23449d6f43001f112460cd9692045347dcaa92ea42236
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4abb3889c4125565461111660cfcd7218bee8f80207333fd17e97b73200f3464
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6E0162F65402087FEB10DBA09DC9FEB336CE709701F4044A5B706E2041E6749E844F74
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BF096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • InterlockedExchange.KERNEL32(011AE7D8,011AE7D8), ref: 00BF097B
                                                                                                                                                                                                                                                                                                                                                                                  • EnterCriticalSection.KERNEL32(011AE7B8,00000000), ref: 00BF098D
                                                                                                                                                                                                                                                                                                                                                                                  • TerminateThread.KERNEL32(?,000001F6), ref: 00BF099B
                                                                                                                                                                                                                                                                                                                                                                                  • WaitForSingleObject.KERNEL32(?,000003E8), ref: 00BF09A9
                                                                                                                                                                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(?), ref: 00BF09B8
                                                                                                                                                                                                                                                                                                                                                                                  • InterlockedExchange.KERNEL32(011AE7D8,000001F6), ref: 00BF09C8
                                                                                                                                                                                                                                                                                                                                                                                  • LeaveCriticalSection.KERNEL32(011AE7B8), ref: 00BF09CF
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 3495660284-0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 75ad032c831e869c06511c0b3844d46f4e4f35ea33f921ef957e1e26947b7834
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 6243a97f917d1e54ff9fe186e6d81d5f23de4057d8969c711d00f3cde36d3f22
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 75ad032c831e869c06511c0b3844d46f4e4f35ea33f921ef957e1e26947b7834
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: EEF01D31482612BBD7515B94EEC8BEA7A35FF02702F409015F201518B1D7749475CF90
                                                                                                                                                                                                                                                                                                                                                                                  Function 00C01C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • __WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00C01DC0
                                                                                                                                                                                                                                                                                                                                                                                  • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00C01DE1
                                                                                                                                                                                                                                                                                                                                                                                  • WSAGetLastError.WSOCK32 ref: 00C01DF2
                                                                                                                                                                                                                                                                                                                                                                                  • htons.WSOCK32(?,?,?,?,?), ref: 00C01EDB
                                                                                                                                                                                                                                                                                                                                                                                  • inet_ntoa.WSOCK32(?), ref: 00C01E8C
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BE39E8: _strlen.LIBCMT ref: 00BE39F2
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00C03224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,00BFEC0C), ref: 00C03240
                                                                                                                                                                                                                                                                                                                                                                                  • _strlen.LIBCMT ref: 00C01F35
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 3203458085-0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 0f64aa5e85ab38e706b0e03e11e9ea5cac69b5140f915b782876d1aa31bfad07
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 99b20419ec121d11182782323d537e497bc9d112c6b1104e7f58faf8a91df563
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0f64aa5e85ab38e706b0e03e11e9ea5cac69b5140f915b782876d1aa31bfad07
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C7B1F830104341AFD714EF64C895F2AB7E5AF85318F58859CF8665B2E2DB31EE41CB91
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BB01B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • __allrem.LIBCMT ref: 00BB00BA
                                                                                                                                                                                                                                                                                                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00BB00D6
                                                                                                                                                                                                                                                                                                                                                                                  • __allrem.LIBCMT ref: 00BB00ED
                                                                                                                                                                                                                                                                                                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00BB010B
                                                                                                                                                                                                                                                                                                                                                                                  • __allrem.LIBCMT ref: 00BB0122
                                                                                                                                                                                                                                                                                                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00BB0140
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 1992179935-0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 43b4d4bf5113e267f7f77802d3a803740101b4f49c5f42d0be940cdfdd1b3d72
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5981C372A057069FE724BA68CC82BFB73E9EF42364F2445BEF551E6281E7B1D9008750
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BB61FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00BA82D9,00BA82D9,?,?,?,00BB644F,00000001,00000001,8BE85006), ref: 00BB6258
                                                                                                                                                                                                                                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00BB644F,00000001,00000001,8BE85006,?,?,?), ref: 00BB62DE
                                                                                                                                                                                                                                                                                                                                                                                  • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00BB63D8
                                                                                                                                                                                                                                                                                                                                                                                  • __freea.LIBCMT ref: 00BB63E5
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BB3820: RtlAllocateHeap.NTDLL(00000000,?,00C51444,?,00B9FDF5,?,?,00B8A976,00000010,00C51440,00B813FC,?,00B813C6,?,00B81129), ref: 00BB3852
                                                                                                                                                                                                                                                                                                                                                                                  • __freea.LIBCMT ref: 00BB63EE
                                                                                                                                                                                                                                                                                                                                                                                  • __freea.LIBCMT ref: 00BB6413
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: ByteCharMultiWide__freea$AllocateHeap
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 1414292761-0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: be7b4e6460400abe8386a252af54b0d2bd15869c9ccdd411d9e376fd1b8427fb
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: f3e1e9472ec30d38786614e62f7a3055b70eb4ef1254cd8c745f182164a82f66
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: be7b4e6460400abe8386a252af54b0d2bd15869c9ccdd411d9e376fd1b8427fb
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6351B172A00216ABEB258F68DC81FFF77E9EB44750F1546A9FC05D6140EBB8DC44C664
                                                                                                                                                                                                                                                                                                                                                                                  Function 00C0BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00B89CB3: _wcslen.LIBCMT ref: 00B89CBD
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00C0C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00C0B6AE,?,?), ref: 00C0C9B5
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00C0C998: _wcslen.LIBCMT ref: 00C0C9F1
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00C0C998: _wcslen.LIBCMT ref: 00C0CA68
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00C0C998: _wcslen.LIBCMT ref: 00C0CA9E
                                                                                                                                                                                                                                                                                                                                                                                  • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00C0BCCA
                                                                                                                                                                                                                                                                                                                                                                                  • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00C0BD25
                                                                                                                                                                                                                                                                                                                                                                                  • RegCloseKey.ADVAPI32(00000000), ref: 00C0BD6A
                                                                                                                                                                                                                                                                                                                                                                                  • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00C0BD99
                                                                                                                                                                                                                                                                                                                                                                                  • RegCloseKey.ADVAPI32(?,?,00000000), ref: 00C0BDF3
                                                                                                                                                                                                                                                                                                                                                                                  • RegCloseKey.ADVAPI32(?), ref: 00C0BDFF
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 1120388591-0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 369b7caef325f856bce7223a3ae13e3a94730dd754c088a3d81aeb2e97457bea
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 599c09939bd61986a0c6a59b60c9b50f517eb0d737d2c7e2262ebf43bada8b29
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 369b7caef325f856bce7223a3ae13e3a94730dd754c088a3d81aeb2e97457bea
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 71817F30218341AFD714DF24C895E6ABBE5FF85308F14859DF4654B2A2DB31ED45CB92
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BDF7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • VariantInit.OLEAUT32(00000035), ref: 00BDF7B9
                                                                                                                                                                                                                                                                                                                                                                                  • SysAllocString.OLEAUT32(00000001), ref: 00BDF860
                                                                                                                                                                                                                                                                                                                                                                                  • VariantCopy.OLEAUT32(00BDFA64,00000000), ref: 00BDF889
                                                                                                                                                                                                                                                                                                                                                                                  • VariantClear.OLEAUT32(00BDFA64), ref: 00BDF8AD
                                                                                                                                                                                                                                                                                                                                                                                  • VariantCopy.OLEAUT32(00BDFA64,00000000), ref: 00BDF8B1
                                                                                                                                                                                                                                                                                                                                                                                  • VariantClear.OLEAUT32(?), ref: 00BDF8BB
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: Variant$ClearCopy$AllocInitString
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 3859894641-0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 4175ee3fd1ca28703ba354b301d5ff9d77ea46b52f012034458ade75bff43785
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 6f5e91ebd4e04253fa16453b606bd8d4b78fdfcc3497e47411d037eb98a5c450
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4175ee3fd1ca28703ba354b301d5ff9d77ea46b52f012034458ade75bff43785
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C251A331958312AACF10AB65D8E5B79F3E4EF45310B2484E7E907DF391EA748C40C79A
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BF910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00B87620: _wcslen.LIBCMT ref: 00B87625
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00B86B57: _wcslen.LIBCMT ref: 00B86B6A
                                                                                                                                                                                                                                                                                                                                                                                  • GetOpenFileNameW.COMDLG32(00000058), ref: 00BF94E5
                                                                                                                                                                                                                                                                                                                                                                                  • _wcslen.LIBCMT ref: 00BF9506
                                                                                                                                                                                                                                                                                                                                                                                  • _wcslen.LIBCMT ref: 00BF952D
                                                                                                                                                                                                                                                                                                                                                                                  • GetSaveFileNameW.COMDLG32(00000058), ref: 00BF9585
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: _wcslen$FileName$OpenSave
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: X
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 83654149-3081909835
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: fd2ad6c0a135ba3be7f4b2a78bb4fdb5cb9664d4d434c48e447cc905fe6f05eb
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: abe12d7eb028a71886418526ecab2b054d267ca99ff217b1620cf1b8f9ef85cd
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: fd2ad6c0a135ba3be7f4b2a78bb4fdb5cb9664d4d434c48e447cc905fe6f05eb
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 17E1A1715083018FDB24EF24C481B6AB7E4FF95314F1489ADF9999B2A2DB31DD09CB92
                                                                                                                                                                                                                                                                                                                                                                                  Function 00B9920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00B99BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00B99BB2
                                                                                                                                                                                                                                                                                                                                                                                  • BeginPaint.USER32(?,?,?), ref: 00B99241
                                                                                                                                                                                                                                                                                                                                                                                  • GetWindowRect.USER32(?,?), ref: 00B992A5
                                                                                                                                                                                                                                                                                                                                                                                  • ScreenToClient.USER32(?,?), ref: 00B992C2
                                                                                                                                                                                                                                                                                                                                                                                  • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00B992D3
                                                                                                                                                                                                                                                                                                                                                                                  • EndPaint.USER32(?,?,?,?,?), ref: 00B99321
                                                                                                                                                                                                                                                                                                                                                                                  • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00BD71EA
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00B99339: BeginPath.GDI32(00000000), ref: 00B99357
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 3050599898-0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 8ad0f097ebf1639dbf6056fd9a404c341e87cf64ebd2f83f9bb85e8c5e5ac432
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: c5770fd144f9533ba023daa85b3eafa888527623701c703eb2a99eea6f63d5fe
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8ad0f097ebf1639dbf6056fd9a404c341e87cf64ebd2f83f9bb85e8c5e5ac432
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D441BE74148300AFDB20DF28D8C8FAA7BE8EB46321F1442ADF964972A1D7309845DB61
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BF07EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • InterlockedExchange.KERNEL32(?,000001F5), ref: 00BF080C
                                                                                                                                                                                                                                                                                                                                                                                  • ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00BF0847
                                                                                                                                                                                                                                                                                                                                                                                  • EnterCriticalSection.KERNEL32(?), ref: 00BF0863
                                                                                                                                                                                                                                                                                                                                                                                  • LeaveCriticalSection.KERNEL32(?), ref: 00BF08DC
                                                                                                                                                                                                                                                                                                                                                                                  • ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 00BF08F3
                                                                                                                                                                                                                                                                                                                                                                                  • InterlockedExchange.KERNEL32(?,000001F6), ref: 00BF0921
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 3368777196-0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 3abb2d175b4eb898f81ff70c1aabc6db8bc9bc878e58fca568c922835fdb07e6
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: b66a9d1c3b5c3d689dfd85ba6092547c433b9baa5405dde39dceeec0ae67b5c3
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3abb2d175b4eb898f81ff70c1aabc6db8bc9bc878e58fca568c922835fdb07e6
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8D415975A10209ABDF14AF54DC85BAA77B9FF05310F1480A5ED009B2A7DB30DE65DBA0
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BF581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00B83AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00B83A97,?,?,00B82E7F,?,?,?,00000000), ref: 00B83AC2
                                                                                                                                                                                                                                                                                                                                                                                  • _wcslen.LIBCMT ref: 00BF587B
                                                                                                                                                                                                                                                                                                                                                                                  • CoInitialize.OLE32(00000000), ref: 00BF5995
                                                                                                                                                                                                                                                                                                                                                                                  • CoCreateInstance.OLE32(00C1FCF8,00000000,00000001,00C1FB68,?), ref: 00BF59AE
                                                                                                                                                                                                                                                                                                                                                                                  • CoUninitialize.OLE32 ref: 00BF59CC
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: .lnk
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 3172280962-24824748
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 302e66da6861849ba75d9d4d0182d7d27eb11139bd84324ed4d99a47b265be68
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 9ab0bab76179a84fe4e253b560f26434e52789cc07bdeab740d7ccef4ae616c2
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 302e66da6861849ba75d9d4d0182d7d27eb11139bd84324ed4d99a47b265be68
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D0D177706087059FC724DF14C484A6ABBE5FF89714F14889DFA899B361DB31EC49CB92
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BE175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BE0FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00BE0FCA
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BE0FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00BE0FD6
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BE0FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00BE0FE5
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BE0FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00BE0FEC
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BE0FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00BE1002
                                                                                                                                                                                                                                                                                                                                                                                  • GetLengthSid.ADVAPI32(?,00000000,00BE1335), ref: 00BE17AE
                                                                                                                                                                                                                                                                                                                                                                                  • GetProcessHeap.KERNEL32(00000008,00000000), ref: 00BE17BA
                                                                                                                                                                                                                                                                                                                                                                                  • HeapAlloc.KERNEL32(00000000), ref: 00BE17C1
                                                                                                                                                                                                                                                                                                                                                                                  • CopySid.ADVAPI32(00000000,00000000,?), ref: 00BE17DA
                                                                                                                                                                                                                                                                                                                                                                                  • GetProcessHeap.KERNEL32(00000000,00000000,00BE1335), ref: 00BE17EE
                                                                                                                                                                                                                                                                                                                                                                                  • HeapFree.KERNEL32(00000000), ref: 00BE17F5
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 3008561057-0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 21838b943f74c4864c6c3fdd9f9a0f2167f748880aafc167e2f5f8c1b8608f18
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 3f7c1c78461d168ccf526e430a2698c5fb2633337a80525ae8dd88d855985259
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 21838b943f74c4864c6c3fdd9f9a0f2167f748880aafc167e2f5f8c1b8608f18
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B411ACB1580205FFDB10DFA9CC89BAE7BE9FB46755F208898F48197210C735AD40CB60
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BE14CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00BE14FF
                                                                                                                                                                                                                                                                                                                                                                                  • OpenProcessToken.ADVAPI32(00000000), ref: 00BE1506
                                                                                                                                                                                                                                                                                                                                                                                  • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00BE1515
                                                                                                                                                                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000004), ref: 00BE1520
                                                                                                                                                                                                                                                                                                                                                                                  • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00BE154F
                                                                                                                                                                                                                                                                                                                                                                                  • DestroyEnvironmentBlock.USERENV(00000000), ref: 00BE1563
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 1413079979-0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 5f0a3f3a721d5e25531e0b9a468fc91858fd8b76e9821f5df705001ca4d6857b
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: b050a2eb53570889439ebdba9f7c62c30ddbb5e82a2351d3cbda1d4a2ea9e7c7
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5f0a3f3a721d5e25531e0b9a468fc91858fd8b76e9821f5df705001ca4d6857b
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 10114472500249ABDB12CFA8DD89BDE7BB9FB49704F148064FA05A21A0C375CE61DB60
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BA3382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,00BA3379,00BA2FE5), ref: 00BA3390
                                                                                                                                                                                                                                                                                                                                                                                  • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00BA339E
                                                                                                                                                                                                                                                                                                                                                                                  • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00BA33B7
                                                                                                                                                                                                                                                                                                                                                                                  • SetLastError.KERNEL32(00000000,?,00BA3379,00BA2FE5), ref: 00BA3409
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: ErrorLastValue___vcrt_
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 3852720340-0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 8e7c4efce1d4e222fe78c50c732a9bf1bd7ffe72602c480f7c72d4696da2e177
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 74b192b478eda3d4e12c393f36288d7d1d68028b4ac1c3bffd787ae936b39e10
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8e7c4efce1d4e222fe78c50c732a9bf1bd7ffe72602c480f7c72d4696da2e177
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E801473360E311BFAA6427B87CC57AB2AD4FB07F7932042A9F420802F0EF114D055148
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BB2D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,00BB5686,00BC3CD6,?,00000000,?,00BB5B6A,?,?,?,?,?,00BAE6D1,?,00C48A48), ref: 00BB2D78
                                                                                                                                                                                                                                                                                                                                                                                  • _free.LIBCMT ref: 00BB2DAB
                                                                                                                                                                                                                                                                                                                                                                                  • _free.LIBCMT ref: 00BB2DD3
                                                                                                                                                                                                                                                                                                                                                                                  • SetLastError.KERNEL32(00000000,?,?,?,?,00BAE6D1,?,00C48A48,00000010,00B84F4A,?,?,00000000,00BC3CD6), ref: 00BB2DE0
                                                                                                                                                                                                                                                                                                                                                                                  • SetLastError.KERNEL32(00000000,?,?,?,?,00BAE6D1,?,00C48A48,00000010,00B84F4A,?,?,00000000,00BC3CD6), ref: 00BB2DEC
                                                                                                                                                                                                                                                                                                                                                                                  • _abort.LIBCMT ref: 00BB2DF2
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: ErrorLast$_free$_abort
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 3160817290-0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 638203203e70f439ce1499210ad00189ee2e41668bbb222af98ab39c9492931e
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 68e02d6e17ded4073ffb311fa73ab08dd405cff9fe6d52584365a53721180bc4
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 638203203e70f439ce1499210ad00189ee2e41668bbb222af98ab39c9492931e
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: CAF0A43554560027C6223738AC4ABFE25D9FFC77A1B2445B8F824922A6EEE488014160
                                                                                                                                                                                                                                                                                                                                                                                  Function 00C18A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00B99639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00B99693
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00B99639: SelectObject.GDI32(?,00000000), ref: 00B996A2
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00B99639: BeginPath.GDI32(?), ref: 00B996B9
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00B99639: SelectObject.GDI32(?,00000000), ref: 00B996E2
                                                                                                                                                                                                                                                                                                                                                                                  • MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00C18A4E
                                                                                                                                                                                                                                                                                                                                                                                  • LineTo.GDI32(?,00000003,00000000), ref: 00C18A62
                                                                                                                                                                                                                                                                                                                                                                                  • MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00C18A70
                                                                                                                                                                                                                                                                                                                                                                                  • LineTo.GDI32(?,00000000,00000003), ref: 00C18A80
                                                                                                                                                                                                                                                                                                                                                                                  • EndPath.GDI32(?), ref: 00C18A90
                                                                                                                                                                                                                                                                                                                                                                                  • StrokePath.GDI32(?), ref: 00C18AA0
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 43455801-0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 6049c14a35aef71897fe47a1fd8c587ac64728f4803cb90bbeba488d55ca8c24
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 494904692107b95480841a955d74c307ab6a1876ab4e17e0ff194f6d134e1a0c
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6049c14a35aef71897fe47a1fd8c587ac64728f4803cb90bbeba488d55ca8c24
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0411F776040108FFDB129F94DC88FEE7FACEB09350F04C062BA199A1A1C7719E95DBA0
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BE51FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • GetDC.USER32(00000000), ref: 00BE5218
                                                                                                                                                                                                                                                                                                                                                                                  • GetDeviceCaps.GDI32(00000000,00000058), ref: 00BE5229
                                                                                                                                                                                                                                                                                                                                                                                  • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00BE5230
                                                                                                                                                                                                                                                                                                                                                                                  • ReleaseDC.USER32(00000000,00000000), ref: 00BE5238
                                                                                                                                                                                                                                                                                                                                                                                  • MulDiv.KERNEL32(000009EC,?,00000000), ref: 00BE524F
                                                                                                                                                                                                                                                                                                                                                                                  • MulDiv.KERNEL32(000009EC,00000001,?), ref: 00BE5261
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: CapsDevice$Release
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 1035833867-0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: ad6bbcd6ebce90cd29c277d5b1b3bc771af1a2e9f73648a3a6e01317d69244ba
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 683f835c56259d58470c737a67ccde017922b9a56285c59f9959e71bdbe43273
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ad6bbcd6ebce90cd29c277d5b1b3bc771af1a2e9f73648a3a6e01317d69244ba
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 82018475A40704BBEB105BA69C89B9EBFB8FB49351F048065FA04A7280D6709800CB60
                                                                                                                                                                                                                                                                                                                                                                                  Function 00B81BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00B81BF4
                                                                                                                                                                                                                                                                                                                                                                                  • MapVirtualKeyW.USER32(00000010,00000000), ref: 00B81BFC
                                                                                                                                                                                                                                                                                                                                                                                  • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00B81C07
                                                                                                                                                                                                                                                                                                                                                                                  • MapVirtualKeyW.USER32(000000A1,00000000), ref: 00B81C12
                                                                                                                                                                                                                                                                                                                                                                                  • MapVirtualKeyW.USER32(00000011,00000000), ref: 00B81C1A
                                                                                                                                                                                                                                                                                                                                                                                  • MapVirtualKeyW.USER32(00000012,00000000), ref: 00B81C22
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: Virtual
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 4278518827-0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: c210f272d0c389eb0f22bdfed39ac11816f56921da3d20ec92e2e65f5330013c
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 54ec1f4458278d39a35ab31c72d99f4ef06747de18e0d8c909d0058bedac9e95
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c210f272d0c389eb0f22bdfed39ac11816f56921da3d20ec92e2e65f5330013c
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 230167B0942B5ABDE3008F6A8C85B56FFA8FF19354F00411BA15C4BA42C7F5A864CBE5
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BEEB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00BEEB30
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00BEEB46
                                                                                                                                                                                                                                                                                                                                                                                  • GetWindowThreadProcessId.USER32(?,?), ref: 00BEEB55
                                                                                                                                                                                                                                                                                                                                                                                  • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00BEEB64
                                                                                                                                                                                                                                                                                                                                                                                  • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00BEEB6E
                                                                                                                                                                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00BEEB75
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 839392675-0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: bfeb0fcb5e6a3f6b1c2e6aa476c77263457908b52f3216fe89cbb360ca65aac3
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: edffff46e11f3ce9eadb247239c00d8b3688e4ee1ce4dfd022ea2157fa005cc3
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: bfeb0fcb5e6a3f6b1c2e6aa476c77263457908b52f3216fe89cbb360ca65aac3
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 95F03072580158BBE72157629C4DFEF3A7CFFCBB11F008158F611E1091D7A05A01C6B5
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BE1874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00BE187F
                                                                                                                                                                                                                                                                                                                                                                                  • UnloadUserProfile.USERENV(?,?), ref: 00BE188B
                                                                                                                                                                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(?), ref: 00BE1894
                                                                                                                                                                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(?), ref: 00BE189C
                                                                                                                                                                                                                                                                                                                                                                                  • GetProcessHeap.KERNEL32(00000000,?), ref: 00BE18A5
                                                                                                                                                                                                                                                                                                                                                                                  • HeapFree.KERNEL32(00000000), ref: 00BE18AC
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 146765662-0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: c01fcb7c50098c17ec079d0eb074b474265852fe993be2ed4a78d34b99e577a3
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 8aad9538d410d80f559a86e8ebf879d545c41639ef1ea8cb25127568ab1d76db
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c01fcb7c50098c17ec079d0eb074b474265852fe993be2ed4a78d34b99e577a3
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9AE0C936484211BBD6015BA1ED4CB8DBB29FB4A721750C220F22581070CB725421DB50
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BEC5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00B87620: _wcslen.LIBCMT ref: 00B87625
                                                                                                                                                                                                                                                                                                                                                                                  • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00BEC6EE
                                                                                                                                                                                                                                                                                                                                                                                  • _wcslen.LIBCMT ref: 00BEC735
                                                                                                                                                                                                                                                                                                                                                                                  • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00BEC79C
                                                                                                                                                                                                                                                                                                                                                                                  • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00BEC7CA
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: ItemMenu$Info_wcslen$Default
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: 0
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 1227352736-4108050209
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 74d131a0fedbe93817204b352c52649a3227555b906e7ea87dd39cc05840d9ba
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 760e3cc489363ab018ab497b33f5588bba92682235ca2f890ea36954a1283a24
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 74d131a0fedbe93817204b352c52649a3227555b906e7ea87dd39cc05840d9ba
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B951E0716043819FD7119F2AC885B6B7FE8EF8A310F040AA9F995D31A0DB70DC46DB56
                                                                                                                                                                                                                                                                                                                                                                                  Function 00C0AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • ShellExecuteExW.SHELL32(0000003C), ref: 00C0AEA3
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00B87620: _wcslen.LIBCMT ref: 00B87625
                                                                                                                                                                                                                                                                                                                                                                                  • GetProcessId.KERNEL32(00000000), ref: 00C0AF38
                                                                                                                                                                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 00C0AF67
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: CloseExecuteHandleProcessShell_wcslen
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: <$@
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 146682121-1426351568
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 3721d87c283dc8f9a71f0745c11cd688c962be5dcd3ee6c691fd6524d1d9e143
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 4a8fd0b77a06b3198a7bd9b53fdcb2e0ae4e6b17406c3963f0cb03d1531d2b72
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3721d87c283dc8f9a71f0745c11cd688c962be5dcd3ee6c691fd6524d1d9e143
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B2715971A00615DFCB14EF94C494A9EBBF0FF08314F148499E866AB7A2CB74EE45CB91
                                                                                                                                                                                                                                                                                                                                                                                  Function 00C16278 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 138COMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • GetWindowRect.USER32(?,?), ref: 00C162E2
                                                                                                                                                                                                                                                                                                                                                                                  • ScreenToClient.USER32(?,?), ref: 00C16315
                                                                                                                                                                                                                                                                                                                                                                                  • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00C16382
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: Window$ClientMoveRectScreen
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: @U=u
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 3880355969-2594219639
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 764611f3251a5fb36eacf34204b9c0ac949d5af40497faefd851d58c9c4565fa
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 194b4104dac84d95097b79b66d947c9491549d7395c56dbef78e59161ad783fa
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 764611f3251a5fb36eacf34204b9c0ac949d5af40497faefd851d58c9c4565fa
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 27510C74A00209EFDB10DF54D884AEE7BB5FF46360F548159F925972A0D770EE81DB50
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BE2716 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 121windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BEB403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00BE21D0,?,?,00000034,00000800,?,00000034), ref: 00BEB42D
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00BE2760
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BEB3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00BE21FF,?,?,00000800,?,00001073,00000000,?,?), ref: 00BEB3F8
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BEB32A: GetWindowThreadProcessId.USER32(?,?), ref: 00BEB355
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BEB32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00BE2194,00000034,?,?,00001004,00000000,00000000), ref: 00BEB365
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BEB32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00BE2194,00000034,?,?,00001004,00000000,00000000), ref: 00BEB37B
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00BE27CD
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00BE281A
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: @$@U=u
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 4150878124-826235744
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 62ed1c3e39b0ff7001d97b726cb5ba7c88d8de47c40c3bc4a73395f798b5edbb
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 091ffbcfab30496c6df3ea76c8bd051af23472d7898e42ce73ee29c75850b313
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 62ed1c3e39b0ff7001d97b726cb5ba7c88d8de47c40c3bc4a73395f798b5edbb
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C1411A72900218AFDB10DBA5CD86FEEBBB8EF09700F108095FA55B7191DB706E45CBA1
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BE719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00BE7206
                                                                                                                                                                                                                                                                                                                                                                                  • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00BE723C
                                                                                                                                                                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00BE724D
                                                                                                                                                                                                                                                                                                                                                                                  • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00BE72CF
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: ErrorMode$AddressCreateInstanceProc
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: DllGetClassObject
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 753597075-1075368562
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 9f4e0b32426b494b5f52f342b1b822f834f87e13c5200a40f8fd3fb83710c58f
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: d0a9ce0ac9d030a27a6f358d8eeddb20ad551c8d8cb76d05ad3088075db10f0a
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9f4e0b32426b494b5f52f342b1b822f834f87e13c5200a40f8fd3fb83710c58f
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 75417D71684245AFDF15CF55C884B9A7BE9EF46310F2480ADBE059F20ADBB0D945CBA0
                                                                                                                                                                                                                                                                                                                                                                                  Function 00C152C1 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 104windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00001024,00000000,?), ref: 00C15352
                                                                                                                                                                                                                                                                                                                                                                                  • GetWindowLongW.USER32(?,000000F0), ref: 00C15375
                                                                                                                                                                                                                                                                                                                                                                                  • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00C15382
                                                                                                                                                                                                                                                                                                                                                                                  • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00C153A8
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: LongWindow$InvalidateMessageRectSend
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: @U=u
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 3340791633-2594219639
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: a1d986893d2ebe61ce23458e89793140ad3fd4dfbe71a042c99b6a5a294d6ebf
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 4e759d3d271f1231bfbecd5254b3047d1388eea98ef1ec45a6be38fc662d15c7
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a1d986893d2ebe61ce23458e89793140ad3fd4dfbe71a042c99b6a5a294d6ebf
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: ED319234A95A08EFEB349A14CC55BE87765AB86390FD84102FA31972F1C7B09AC0BB51
                                                                                                                                                                                                                                                                                                                                                                                  Function 00C0C9EA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: _wcslen
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: HKEY_LOCAL_MACHINE$HKLM
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 176396367-4004644295
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 6a79c14bd6a588a4298ab2226d0b8151819269660269373f2c6b46a2d48754d5
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 0eb89eaec39b8aa1a30c78c5f7c472aee0b3e393c1dc94e6f8311cc3f678831a
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6a79c14bd6a588a4298ab2226d0b8151819269660269373f2c6b46a2d48754d5
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5C31D772B0016A4BCB20DF6CD9D05BF33915BA1790B154269FC656B2D5E771CF44E3A0
                                                                                                                                                                                                                                                                                                                                                                                  Function 00C12F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00C12F8D
                                                                                                                                                                                                                                                                                                                                                                                  • LoadLibraryW.KERNEL32(?), ref: 00C12F94
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00C12FA9
                                                                                                                                                                                                                                                                                                                                                                                  • DestroyWindow.USER32(?), ref: 00C12FB1
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: MessageSend$DestroyLibraryLoadWindow
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: SysAnimate32
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 3529120543-1011021900
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 2106a3920021daa4116c4995c84bec12c50ac048849e9fc2bf82b987538f88b6
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 8efabdca7f6f7d4a1fcbf1d37fdc2610d86a1d6ca5d2e460d51eaf0149e4391d
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2106a3920021daa4116c4995c84bec12c50ac048849e9fc2bf82b987538f88b6
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0E21C075200215AFEB108FA4DC84FFB37BDEB5A364F104218F960D2190D771DCA2A760
                                                                                                                                                                                                                                                                                                                                                                                  Function 00C15660 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 67windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00001060,?,00000004), ref: 00C156BB
                                                                                                                                                                                                                                                                                                                                                                                  • _wcslen.LIBCMT ref: 00C156CD
                                                                                                                                                                                                                                                                                                                                                                                  • _wcslen.LIBCMT ref: 00C156D8
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00001002,00000000,?), ref: 00C15816
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: MessageSend_wcslen
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: @U=u
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 455545452-2594219639
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 8d3e92e5e3a63d01792f86a0cfda832b74c846bffce25ffbea10a707ec31766e
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 06b8541b5c2e1a397298f07c1d8cd4269121fc18b7e0f88a8d1d3594e1070462
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8d3e92e5e3a63d01792f86a0cfda832b74c846bffce25ffbea10a707ec31766e
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 57110375600608DADF209F61CC85BEE77ACEF93364F104066F925D6181E770CAC0DBA4
                                                                                                                                                                                                                                                                                                                                                                                  Function 00B8600E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 53windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00B8604C
                                                                                                                                                                                                                                                                                                                                                                                  • GetStockObject.GDI32(00000011), ref: 00B86060
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(00000000,00000030,00000000), ref: 00B8606A
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: CreateMessageObjectSendStockWindow
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: @U=u
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 3970641297-2594219639
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 0adb3746a86f83d39cc9e109c5022e2103d67c0917d02a162c9d5734e8e512e9
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 081628f17195a6d20df882ff15066453e4e52580a011c6cd61262ba31d1e3704
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0adb3746a86f83d39cc9e109c5022e2103d67c0917d02a162c9d5734e8e512e9
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5611AD72101508FFEF165FA48C84FEEBBA9FF093A4F044245FA1452120C7329C60DBA0
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BA4D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00BA4D1E,00BB28E9,?,00BA4CBE,00BB28E9,00C488B8,0000000C,00BA4E15,00BB28E9,00000002), ref: 00BA4D8D
                                                                                                                                                                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00BA4DA0
                                                                                                                                                                                                                                                                                                                                                                                  • FreeLibrary.KERNEL32(00000000,?,?,?,00BA4D1E,00BB28E9,?,00BA4CBE,00BB28E9,00C488B8,0000000C,00BA4E15,00BB28E9,00000002,00000000), ref: 00BA4DC3
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: CorExitProcess$mscoree.dll
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 4061214504-1276376045
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 6c57e6dd4b303d2770a8dfb454136f597cc3167aeb190ffa64ad38baa684a37c
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: bdfac55dddcf5b27e7d04c1966288bf4c8b5f1e39e02a6869c6841960c754308
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6c57e6dd4b303d2770a8dfb454136f597cc3167aeb190ffa64ad38baa684a37c
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 32F04F35A84218BBDB119F94DC89BEEBBF5FF45B51F1040A5F805A2660CBB19D40CA90
                                                                                                                                                                                                                                                                                                                                                                                  Function 00B84E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • LoadLibraryA.KERNEL32(kernel32.dll,?,?,00B84EDD,?,00C51418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00B84E9C
                                                                                                                                                                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00B84EAE
                                                                                                                                                                                                                                                                                                                                                                                  • FreeLibrary.KERNEL32(00000000,?,?,00B84EDD,?,00C51418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00B84EC0
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: Library$AddressFreeLoadProc
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 145871493-3689287502
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 2bad7bd4a53830fcef2b0a914ed6bf098f05dc352313210d1665869c4332d187
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 3a5da401a887aed0110b69207393afd65a390d07f5e567aae9f05db775cf905f
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2bad7bd4a53830fcef2b0a914ed6bf098f05dc352313210d1665869c4332d187
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D7E0CD36A815236BD2312B256C58BAF6694FFC3F637154165FC00E2210DB60CD01C1A0
                                                                                                                                                                                                                                                                                                                                                                                  Function 00B84E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • LoadLibraryA.KERNEL32(kernel32.dll,?,?,00BC3CDE,?,00C51418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00B84E62
                                                                                                                                                                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00B84E74
                                                                                                                                                                                                                                                                                                                                                                                  • FreeLibrary.KERNEL32(00000000,?,?,00BC3CDE,?,00C51418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00B84E87
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: Library$AddressFreeLoadProc
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 145871493-1355242751
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: e193b08a48cfb463ab04d8a0ea83ed57bc4d6e81d7b421822ecc71f1d85e3d46
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: d5997b1e812678e0cdaf91aec045e40da09fa177c11af424bbab561fd6ea13a4
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e193b08a48cfb463ab04d8a0ea83ed57bc4d6e81d7b421822ecc71f1d85e3d46
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A7D012365826226796262B256C58FCF6A58FF86B523154565B905E2124CF60CD02C6D0
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BF2947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00BF2C05
                                                                                                                                                                                                                                                                                                                                                                                  • DeleteFileW.KERNEL32(?), ref: 00BF2C87
                                                                                                                                                                                                                                                                                                                                                                                  • CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00BF2C9D
                                                                                                                                                                                                                                                                                                                                                                                  • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00BF2CAE
                                                                                                                                                                                                                                                                                                                                                                                  • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00BF2CC0
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: File$Delete$Copy
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 3226157194-0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: f554c04fa18e49943890f57a5acea69d39e22226856b7c66be20eb54a78a20ba
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: c22eba2fb7a9312d07f722d3c2a27fec03982374c2c016039cdbc7e40ebe47da
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f554c04fa18e49943890f57a5acea69d39e22226856b7c66be20eb54a78a20ba
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 16B10E71D0011DABDF25EBA4CC85EEEBBBDEF49350F1040E6F609A7151EA309A488B61
                                                                                                                                                                                                                                                                                                                                                                                  Function 00C0A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • GetCurrentProcessId.KERNEL32 ref: 00C0A427
                                                                                                                                                                                                                                                                                                                                                                                  • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00C0A435
                                                                                                                                                                                                                                                                                                                                                                                  • GetProcessIoCounters.KERNEL32(00000000,?), ref: 00C0A468
                                                                                                                                                                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(?), ref: 00C0A63D
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: Process$CloseCountersCurrentHandleOpen
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 3488606520-0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 068f5b7229bcb7b87b1fb3e8597a9374d44dfd878e8b04da4effe1acea2160c7
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 26849b5741ad8b73b9108e593cc4cfa6d7d1b285c8f1a9ce9728ebc2e1e80763
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 068f5b7229bcb7b87b1fb3e8597a9374d44dfd878e8b04da4effe1acea2160c7
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 91A17F71604300AFE720EF24D886B2AB7E5AF84714F14885DF66A9B3D2D771ED41CB92
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BBBB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00C23700), ref: 00BBBB91
                                                                                                                                                                                                                                                                                                                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00C5121C,000000FF,00000000,0000003F,00000000,?,?), ref: 00BBBC09
                                                                                                                                                                                                                                                                                                                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00C51270,000000FF,?,0000003F,00000000,?), ref: 00BBBC36
                                                                                                                                                                                                                                                                                                                                                                                  • _free.LIBCMT ref: 00BBBB7F
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BB29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00BBD7D1,00000000,00000000,00000000,00000000,?,00BBD7F8,00000000,00000007,00000000,?,00BBDBF5,00000000), ref: 00BB29DE
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BB29C8: GetLastError.KERNEL32(00000000,?,00BBD7D1,00000000,00000000,00000000,00000000,?,00BBD7F8,00000000,00000007,00000000,?,00BBDBF5,00000000,00000000), ref: 00BB29F0
                                                                                                                                                                                                                                                                                                                                                                                  • _free.LIBCMT ref: 00BBBD4B
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 1286116820-0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 01571b3980a6f0992257040a07f19071f65cdf8bb4ece22e3687166cb0e3a0eb
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: cdac544c3f4b97645f7736102cf77a34eaa8ca1dd44338f7192b6986039bce5c
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 01571b3980a6f0992257040a07f19071f65cdf8bb4ece22e3687166cb0e3a0eb
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6A51A475900209ABCB14EF65DC85FFEBBF8EB41310F1442AAE454E71A1EBF09E408B50
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BEE3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BEDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00BECF22,?), ref: 00BEDDFD
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BEDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00BECF22,?), ref: 00BEDE16
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BEE199: GetFileAttributesW.KERNEL32(?,00BECF95), ref: 00BEE19A
                                                                                                                                                                                                                                                                                                                                                                                  • lstrcmpiW.KERNEL32(?,?), ref: 00BEE473
                                                                                                                                                                                                                                                                                                                                                                                  • MoveFileW.KERNEL32(?,?), ref: 00BEE4AC
                                                                                                                                                                                                                                                                                                                                                                                  • _wcslen.LIBCMT ref: 00BEE5EB
                                                                                                                                                                                                                                                                                                                                                                                  • _wcslen.LIBCMT ref: 00BEE603
                                                                                                                                                                                                                                                                                                                                                                                  • SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 00BEE650
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 3183298772-0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: d4e864432341500d9680d7c35ec5053e6bdf6d4a68a95dc634d7cb309bc9e06a
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 5d32e138b2bb71d839e651307f7bc412c10658df4eb31faf91bcde58a9a8132d
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d4e864432341500d9680d7c35ec5053e6bdf6d4a68a95dc634d7cb309bc9e06a
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 435153B24083859BC724EB90D881AEFB3ECEF85340F00495EF599D3191EF75E6888756
                                                                                                                                                                                                                                                                                                                                                                                  Function 00C0B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00B89CB3: _wcslen.LIBCMT ref: 00B89CBD
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00C0C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00C0B6AE,?,?), ref: 00C0C9B5
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00C0C998: _wcslen.LIBCMT ref: 00C0C9F1
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00C0C998: _wcslen.LIBCMT ref: 00C0CA68
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00C0C998: _wcslen.LIBCMT ref: 00C0CA9E
                                                                                                                                                                                                                                                                                                                                                                                  • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00C0BAA5
                                                                                                                                                                                                                                                                                                                                                                                  • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00C0BB00
                                                                                                                                                                                                                                                                                                                                                                                  • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00C0BB63
                                                                                                                                                                                                                                                                                                                                                                                  • RegCloseKey.ADVAPI32(?,?), ref: 00C0BBA6
                                                                                                                                                                                                                                                                                                                                                                                  • RegCloseKey.ADVAPI32(00000000), ref: 00C0BBB3
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 826366716-0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: b7ae8c361cbcaa0e20c863a5496686f4482ff3f23afdec9d58b308848017cb45
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 7acc5cbbd7f6032020f4c7930ace99bbbeb3fc92768af98685579773ed97e595
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b7ae8c361cbcaa0e20c863a5496686f4482ff3f23afdec9d58b308848017cb45
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A961A031208241AFD714DF24C490E6ABBE5FF85308F54859DF4AA8B2A2DB31ED45CB92
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BE8BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • VariantInit.OLEAUT32(?), ref: 00BE8BCD
                                                                                                                                                                                                                                                                                                                                                                                  • VariantClear.OLEAUT32 ref: 00BE8C3E
                                                                                                                                                                                                                                                                                                                                                                                  • VariantClear.OLEAUT32 ref: 00BE8C9D
                                                                                                                                                                                                                                                                                                                                                                                  • VariantClear.OLEAUT32(?), ref: 00BE8D10
                                                                                                                                                                                                                                                                                                                                                                                  • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00BE8D3B
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: Variant$Clear$ChangeInitType
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 4136290138-0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: d67b852e09d8d048eb81a2dfeb80945b60bd1e7d08640428f65a1f78b1139fa7
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 12c58ca1489bddf8f0c75c4ff04bcec919cb6aa6de4a1b72c330483679fe9e18
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d67b852e09d8d048eb81a2dfeb80945b60bd1e7d08640428f65a1f78b1139fa7
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 67516CB5A00659EFCB10CF59C884AAAB7F5FF89310B158569F909DB350E730E911CF90
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BF8AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00BF8BAE
                                                                                                                                                                                                                                                                                                                                                                                  • GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00BF8BDA
                                                                                                                                                                                                                                                                                                                                                                                  • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00BF8C32
                                                                                                                                                                                                                                                                                                                                                                                  • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00BF8C57
                                                                                                                                                                                                                                                                                                                                                                                  • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00BF8C5F
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: PrivateProfile$SectionWrite$String
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 2832842796-0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 97ae1b6829405bc285bc398dde2e40fd71456c2ce44ffc5e730132331521a507
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: d56aa085e70de01e3367b021987a75e0512badb8080a5fa7c9f2b59673b37190
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 97ae1b6829405bc285bc398dde2e40fd71456c2ce44ffc5e730132331521a507
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 12513E35A006199FCB05DF64C881AADBBF5FF49314F088498E949AB372DB31ED55CBA0
                                                                                                                                                                                                                                                                                                                                                                                  Function 00C08EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • LoadLibraryW.KERNEL32(?,00000000,?), ref: 00C08F40
                                                                                                                                                                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,?), ref: 00C08FD0
                                                                                                                                                                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,00000000), ref: 00C08FEC
                                                                                                                                                                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,?), ref: 00C09032
                                                                                                                                                                                                                                                                                                                                                                                  • FreeLibrary.KERNEL32(00000000), ref: 00C09052
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00B9F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00BF1043,?,75B8E610), ref: 00B9F6E6
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00B9F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00BDFA64,00000000,00000000,?,?,00BF1043,?,75B8E610,?,00BDFA64), ref: 00B9F70D
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 666041331-0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 38180f1faf6ed88fc914f3956df35e88ec8faf1e613a319ce5f5c7405dfa44bf
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 3b52e255f3f89c7db7f15b76a3521ecb8557d755d6473105cfac0c221e224544
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 38180f1faf6ed88fc914f3956df35e88ec8faf1e613a319ce5f5c7405dfa44bf
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 90513C35604205DFCB15EF68C4949ADBBF1FF59314B1880A8E855AB3A2DB31EE85CB90
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BB2051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: _free
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 269201875-0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: ef8aa819040ac5242630ab78da6ddf28d7bf803428aa82ae25c221005bd37ce6
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: c15b8de4c642e1540dbc2b343435f04815948257f6721d8a972b50b0c651898c
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ef8aa819040ac5242630ab78da6ddf28d7bf803428aa82ae25c221005bd37ce6
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C641D376A00200AFCB24DF78C881AADB7F5EF89314F5585A8E515EB355DB71AD01CB80
                                                                                                                                                                                                                                                                                                                                                                                  Function 00B9912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • GetCursorPos.USER32(?), ref: 00B99141
                                                                                                                                                                                                                                                                                                                                                                                  • ScreenToClient.USER32(00000000,?), ref: 00B9915E
                                                                                                                                                                                                                                                                                                                                                                                  • GetAsyncKeyState.USER32(00000001), ref: 00B99183
                                                                                                                                                                                                                                                                                                                                                                                  • GetAsyncKeyState.USER32(00000002), ref: 00B9919D
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: AsyncState$ClientCursorScreen
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 4210589936-0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 030e24d82cd03ede0caf39135831a27e87776d9222a756ac75a8c78535031d7b
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 08c1a8606996b08ce5de9372cf6b30a7da3bfe5b77291133184cc790d5c973f3
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 030e24d82cd03ede0caf39135831a27e87776d9222a756ac75a8c78535031d7b
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B9414F7190851AFBDF159F68C884BEEF7B5FB05320F20836AE425B62D0EB305950DB91
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BF3874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • GetInputState.USER32 ref: 00BF38CB
                                                                                                                                                                                                                                                                                                                                                                                  • TranslateAcceleratorW.USER32(?,00000000,?), ref: 00BF3922
                                                                                                                                                                                                                                                                                                                                                                                  • TranslateMessage.USER32(?), ref: 00BF394B
                                                                                                                                                                                                                                                                                                                                                                                  • DispatchMessageW.USER32(?), ref: 00BF3955
                                                                                                                                                                                                                                                                                                                                                                                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00BF3966
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: Message$Translate$AcceleratorDispatchInputPeekState
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 2256411358-0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 2a1a3837477fbcdd024ac525bc66cae5f5efd74d4c2ee3b90aeda18a2a8b4286
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: b9be4b8fd9cd21dfb5816aac5521bf1d337aa24807b48f1ab58a4bcd861a8724
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2a1a3837477fbcdd024ac525bc66cae5f5efd74d4c2ee3b90aeda18a2a8b4286
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F631BA745443499EEB35C7349858BBA37E4EB05741F08859DE963931A0D3F49688CB11
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BFCF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,00BFC21E,00000000), ref: 00BFCF38
                                                                                                                                                                                                                                                                                                                                                                                  • InternetReadFile.WININET(?,00000000,?,?), ref: 00BFCF6F
                                                                                                                                                                                                                                                                                                                                                                                  • GetLastError.KERNEL32(?,00000000,?,?,?,00BFC21E,00000000), ref: 00BFCFB4
                                                                                                                                                                                                                                                                                                                                                                                  • SetEvent.KERNEL32(?,?,00000000,?,?,?,00BFC21E,00000000), ref: 00BFCFC8
                                                                                                                                                                                                                                                                                                                                                                                  • SetEvent.KERNEL32(?,?,00000000,?,?,?,00BFC21E,00000000), ref: 00BFCFF2
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: EventInternet$AvailableDataErrorFileLastQueryRead
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 3191363074-0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: ab553b05107579150595a8e3b11b86de50c8c59c3c55dafbc1b9c548c9094691
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 79746eaa6a250e65fc628dae98c5aa1cb5d77701c64c1dd6334eb3c1edbe78e6
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ab553b05107579150595a8e3b11b86de50c8c59c3c55dafbc1b9c548c9094691
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8D314D7150420EAFDB20DFA5C984ABEBBF9EF15350B1084AEF616D3151D730AE88DB60
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BE1901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • GetWindowRect.USER32(?,?), ref: 00BE1915
                                                                                                                                                                                                                                                                                                                                                                                  • PostMessageW.USER32(00000001,00000201,00000001), ref: 00BE19C1
                                                                                                                                                                                                                                                                                                                                                                                  • Sleep.KERNEL32(00000000,?,?,?), ref: 00BE19C9
                                                                                                                                                                                                                                                                                                                                                                                  • PostMessageW.USER32(00000001,00000202,00000000), ref: 00BE19DA
                                                                                                                                                                                                                                                                                                                                                                                  • Sleep.KERNEL32(00000000,?,?,?,?), ref: 00BE19E2
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: MessagePostSleep$RectWindow
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 3382505437-0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: cb19a54615af8fd47b1211c395c49dc791ffab74f4555edb159e687912ba9e81
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 4aa38b924f8d664c678a5eb13ad9eebb5af2e3692292c1181b8547d1ecaf25b5
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: cb19a54615af8fd47b1211c395c49dc791ffab74f4555edb159e687912ba9e81
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1431CF75900259EFCB00CFACC998BDE3BB5FB05315F208665F921A72D1C3709955CB90
                                                                                                                                                                                                                                                                                                                                                                                  Function 00C00930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • IsWindow.USER32(00000000), ref: 00C00951
                                                                                                                                                                                                                                                                                                                                                                                  • GetForegroundWindow.USER32 ref: 00C00968
                                                                                                                                                                                                                                                                                                                                                                                  • GetDC.USER32(00000000), ref: 00C009A4
                                                                                                                                                                                                                                                                                                                                                                                  • GetPixel.GDI32(00000000,?,00000003), ref: 00C009B0
                                                                                                                                                                                                                                                                                                                                                                                  • ReleaseDC.USER32(00000000,00000003), ref: 00C009E8
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: Window$ForegroundPixelRelease
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 4156661090-0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 6ba9971c6109229cd30c1077d323275e67d85ef9aca125abc46984977250d775
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 3eb5ff0089845d64b88216f33d3f46ea25e572a7388ee6a5862400aebe1ee0d2
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6ba9971c6109229cd30c1077d323275e67d85ef9aca125abc46984977250d775
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E8215B75600204AFD704EF69D884BAEBBE9FF49700F14C468F95A973A2CB70AD04CB90
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BBCDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • GetEnvironmentStringsW.KERNEL32 ref: 00BBCDC6
                                                                                                                                                                                                                                                                                                                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00BBCDE9
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BB3820: RtlAllocateHeap.NTDLL(00000000,?,00C51444,?,00B9FDF5,?,?,00B8A976,00000010,00C51440,00B813FC,?,00B813C6,?,00B81129), ref: 00BB3852
                                                                                                                                                                                                                                                                                                                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00BBCE0F
                                                                                                                                                                                                                                                                                                                                                                                  • _free.LIBCMT ref: 00BBCE22
                                                                                                                                                                                                                                                                                                                                                                                  • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00BBCE31
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 336800556-0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: ab08f23312f22ea364135daf925bbe11c90745f63b5002668c5864e0a27d5ea9
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: b3254d00402b2e3a349ca83c95382e8a3aecd7221a12e260b8d65a20f494bb99
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ab08f23312f22ea364135daf925bbe11c90745f63b5002668c5864e0a27d5ea9
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E4018872601615BF23215A766CC8EFF6DEDEEC7BA131541A9F905DB201DAA1DD0181B0
                                                                                                                                                                                                                                                                                                                                                                                  Function 00B99639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00B99693
                                                                                                                                                                                                                                                                                                                                                                                  • SelectObject.GDI32(?,00000000), ref: 00B996A2
                                                                                                                                                                                                                                                                                                                                                                                  • BeginPath.GDI32(?), ref: 00B996B9
                                                                                                                                                                                                                                                                                                                                                                                  • SelectObject.GDI32(?,00000000), ref: 00B996E2
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: ObjectSelect$BeginCreatePath
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 3225163088-0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: a93aa9f122872e5e20a2e3d6766a637b95b5370e67b62e61134b8ad0df7390bb
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 7e9e09fc0eb05d87483dd37759ff2394cd125d6321e6cb656dd8f69e8a093767
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a93aa9f122872e5e20a2e3d6766a637b95b5370e67b62e61134b8ad0df7390bb
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 29218E74842305EBDF119F68EC487ED7BF9FB12366F28426AF811A61B0D3709891CB94
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BE5711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: _memcmp
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 2931989736-0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: fea17b8ff3dbc6dd6d3ad916c83f9c3eeb6f5e80fa290cd5f8e7eab8ba09d2d0
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 7d44b79da3395809d7be7cc0872b1444210bbefece0b74fdf3354a131419f00b
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: fea17b8ff3dbc6dd6d3ad916c83f9c3eeb6f5e80fa290cd5f8e7eab8ba09d2d0
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5B01F5B2345609FBD62899169D92FFF73DCDB22399F0000B4FD049A241F760ED6192E4
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BB2DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,00BAF2DE,00BB3863,00C51444,?,00B9FDF5,?,?,00B8A976,00000010,00C51440,00B813FC,?,00B813C6), ref: 00BB2DFD
                                                                                                                                                                                                                                                                                                                                                                                  • _free.LIBCMT ref: 00BB2E32
                                                                                                                                                                                                                                                                                                                                                                                  • _free.LIBCMT ref: 00BB2E59
                                                                                                                                                                                                                                                                                                                                                                                  • SetLastError.KERNEL32(00000000,00B81129), ref: 00BB2E66
                                                                                                                                                                                                                                                                                                                                                                                  • SetLastError.KERNEL32(00000000,00B81129), ref: 00BB2E6F
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: ErrorLast$_free
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 3170660625-0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: fab4977b0ecb002c8dfa64fe87e287610eccc465e33a356fd3af508101381749
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 374ab80c72f164af3974aaf4503f39fe68228dc66bb816b7de38d76d37c5767b
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: fab4977b0ecb002c8dfa64fe87e287610eccc465e33a356fd3af508101381749
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4301F4362456006BC6132736ACC5FFF26E9FBD67A1B2044A8F825A22A2EFE4CC014020
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BE000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00BDFF41,80070057,?,?,?,00BE035E), ref: 00BE002B
                                                                                                                                                                                                                                                                                                                                                                                  • ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00BDFF41,80070057,?,?), ref: 00BE0046
                                                                                                                                                                                                                                                                                                                                                                                  • lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00BDFF41,80070057,?,?), ref: 00BE0054
                                                                                                                                                                                                                                                                                                                                                                                  • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00BDFF41,80070057,?), ref: 00BE0064
                                                                                                                                                                                                                                                                                                                                                                                  • CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00BDFF41,80070057,?,?), ref: 00BE0070
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: From$Prog$FreeStringTasklstrcmpi
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 3897988419-0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: ef5e570a4072314f37a397a6e6931b20fc383b14b4a8dc0091facefeb567d696
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 07336756b09fae8f5297c8041573c10948f961f0e5bcdab0c56d44a9343ae97c
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ef5e570a4072314f37a397a6e6931b20fc383b14b4a8dc0091facefeb567d696
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F7018F72650208BFEB11AF6AEC84BEE7BEDEB44751F148164F905D2211D7B5DD808BA0
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BEE97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • QueryPerformanceCounter.KERNEL32(?), ref: 00BEE997
                                                                                                                                                                                                                                                                                                                                                                                  • QueryPerformanceFrequency.KERNEL32(?), ref: 00BEE9A5
                                                                                                                                                                                                                                                                                                                                                                                  • Sleep.KERNEL32(00000000), ref: 00BEE9AD
                                                                                                                                                                                                                                                                                                                                                                                  • QueryPerformanceCounter.KERNEL32(?), ref: 00BEE9B7
                                                                                                                                                                                                                                                                                                                                                                                  • Sleep.KERNEL32 ref: 00BEE9F3
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: PerformanceQuery$CounterSleep$Frequency
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 2833360925-0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 04c78d5ac6f484100edf94fb65598a92e5003a784f47e9d64e303e050bea318f
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 5d0492f140e2472cecf8714c88fb5ebc68952548a609ecfe9040126e0b9af083
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 04c78d5ac6f484100edf94fb65598a92e5003a784f47e9d64e303e050bea318f
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 85015B35C41629EBCF009BE6D889BEDBBF8FB09300F004586E522B2252CB309550D7A1
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BE10F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00BE1114
                                                                                                                                                                                                                                                                                                                                                                                  • GetLastError.KERNEL32(?,00000000,00000000,?,?,00BE0B9B,?,?,?), ref: 00BE1120
                                                                                                                                                                                                                                                                                                                                                                                  • GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00BE0B9B,?,?,?), ref: 00BE112F
                                                                                                                                                                                                                                                                                                                                                                                  • HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00BE0B9B,?,?,?), ref: 00BE1136
                                                                                                                                                                                                                                                                                                                                                                                  • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00BE114D
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 842720411-0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 85a7f015b566f199403cf05a4fb8369a045ff7cca9b32e8458662b303b679173
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 8a9578486fc0dede984893047663891b3170130789706960f95d1039f62bb133
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 85a7f015b566f199403cf05a4fb8369a045ff7cca9b32e8458662b303b679173
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 15011D79140305BFDB114F69DC89BAE3BAEFF86360B208455FA45D7360DB71DC109A60
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BE0FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00BE0FCA
                                                                                                                                                                                                                                                                                                                                                                                  • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00BE0FD6
                                                                                                                                                                                                                                                                                                                                                                                  • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00BE0FE5
                                                                                                                                                                                                                                                                                                                                                                                  • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00BE0FEC
                                                                                                                                                                                                                                                                                                                                                                                  • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00BE1002
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 44706859-0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 99eb44696bbc9a010c117b4162133135eed592909b70f83f4e2f4d6988e69537
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 9bc25acaf3ccf3e7580b0f10df0a74f420c6f2eb963a652bf11cccab67c76d25
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 99eb44696bbc9a010c117b4162133135eed592909b70f83f4e2f4d6988e69537
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B3F04F39180351BBD7214FA99C89F9A3BAEFF8A761F618854F946C6291CA70DC508A60
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BE1014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00BE102A
                                                                                                                                                                                                                                                                                                                                                                                  • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00BE1036
                                                                                                                                                                                                                                                                                                                                                                                  • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00BE1045
                                                                                                                                                                                                                                                                                                                                                                                  • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00BE104C
                                                                                                                                                                                                                                                                                                                                                                                  • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00BE1062
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 44706859-0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: dc11c147de77b90d1ed73dab035f9cb8946e554bb46dd3831b484731c80ae0ff
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 841bf9e9cae777de3d89389de8829258577984cf4986d4910d113bd3384f102d
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: dc11c147de77b90d1ed73dab035f9cb8946e554bb46dd3831b484731c80ae0ff
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0FF06239180351FBD7215FA9EC89F9A3BAEFF8A761F214414F945C7251CB70D8508A60
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BF030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(?,?,?,?,00BF017D,?,00BF32FC,?,00000001,00BC2592,?), ref: 00BF0324
                                                                                                                                                                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(?,?,?,?,00BF017D,?,00BF32FC,?,00000001,00BC2592,?), ref: 00BF0331
                                                                                                                                                                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(?,?,?,?,00BF017D,?,00BF32FC,?,00000001,00BC2592,?), ref: 00BF033E
                                                                                                                                                                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(?,?,?,?,00BF017D,?,00BF32FC,?,00000001,00BC2592,?), ref: 00BF034B
                                                                                                                                                                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(?,?,?,?,00BF017D,?,00BF32FC,?,00000001,00BC2592,?), ref: 00BF0358
                                                                                                                                                                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(?,?,?,?,00BF017D,?,00BF32FC,?,00000001,00BC2592,?), ref: 00BF0365
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: CloseHandle
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 2962429428-0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 35cd0012c461dab8097eddffcaf0f463263301bb1640e574bed8ecc082058224
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 7bb6f81cf2576d14b4cb6de47a221a2503c5339463f5c26609ff6a519b57d70f
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 35cd0012c461dab8097eddffcaf0f463263301bb1640e574bed8ecc082058224
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2301A272810B199FC730AF66D880826F7F5FF543153158A7FD29652932C371A959CF84
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BBD73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • _free.LIBCMT ref: 00BBD752
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BB29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00BBD7D1,00000000,00000000,00000000,00000000,?,00BBD7F8,00000000,00000007,00000000,?,00BBDBF5,00000000), ref: 00BB29DE
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BB29C8: GetLastError.KERNEL32(00000000,?,00BBD7D1,00000000,00000000,00000000,00000000,?,00BBD7F8,00000000,00000007,00000000,?,00BBDBF5,00000000,00000000), ref: 00BB29F0
                                                                                                                                                                                                                                                                                                                                                                                  • _free.LIBCMT ref: 00BBD764
                                                                                                                                                                                                                                                                                                                                                                                  • _free.LIBCMT ref: 00BBD776
                                                                                                                                                                                                                                                                                                                                                                                  • _free.LIBCMT ref: 00BBD788
                                                                                                                                                                                                                                                                                                                                                                                  • _free.LIBCMT ref: 00BBD79A
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 776569668-0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: e1deacdfa8ecc954bfdcd436b589b825fe1436cf7c9f7263ba477b4b40dbfdf4
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: ab14008c367b59fc2291731410f660e0a56fb76983a38887d7b522c34ecc5569
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e1deacdfa8ecc954bfdcd436b589b825fe1436cf7c9f7263ba477b4b40dbfdf4
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5EF04F32501204BBC661EB65F9C5EEA77DDFB053107940C95F088D7651DBA4FC808664
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BB22A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • _free.LIBCMT ref: 00BB22BE
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BB29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00BBD7D1,00000000,00000000,00000000,00000000,?,00BBD7F8,00000000,00000007,00000000,?,00BBDBF5,00000000), ref: 00BB29DE
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BB29C8: GetLastError.KERNEL32(00000000,?,00BBD7D1,00000000,00000000,00000000,00000000,?,00BBD7F8,00000000,00000007,00000000,?,00BBDBF5,00000000,00000000), ref: 00BB29F0
                                                                                                                                                                                                                                                                                                                                                                                  • _free.LIBCMT ref: 00BB22D0
                                                                                                                                                                                                                                                                                                                                                                                  • _free.LIBCMT ref: 00BB22E3
                                                                                                                                                                                                                                                                                                                                                                                  • _free.LIBCMT ref: 00BB22F4
                                                                                                                                                                                                                                                                                                                                                                                  • _free.LIBCMT ref: 00BB2305
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 776569668-0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 760e061481c192f3620a523c894c3f1d369c43663d2e893728e3a89bfced16cd
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 7897b4d12075425aa5729792b8ef9162a1d572ab7c478f98c248c60118fb6ce0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 760e061481c192f3620a523c894c3f1d369c43663d2e893728e3a89bfced16cd
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A9F0547C4013109B8652AF94BC41BAC3BE4F719752B150A56F818E63B1C7B004919FE5
                                                                                                                                                                                                                                                                                                                                                                                  Function 00B995C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • EndPath.GDI32(?), ref: 00B995D4
                                                                                                                                                                                                                                                                                                                                                                                  • StrokeAndFillPath.GDI32(?,?,00BD71F7,00000000,?,?,?), ref: 00B995F0
                                                                                                                                                                                                                                                                                                                                                                                  • SelectObject.GDI32(?,00000000), ref: 00B99603
                                                                                                                                                                                                                                                                                                                                                                                  • DeleteObject.GDI32 ref: 00B99616
                                                                                                                                                                                                                                                                                                                                                                                  • StrokePath.GDI32(?), ref: 00B99631
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: Path$ObjectStroke$DeleteFillSelect
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 2625713937-0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: f6d8a5e53208c6eaa1cfd52045200b8e90ee4f1d0528bc744abf3fd09dc9c07c
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 133d3678b750f5cfd2b04ff5aac3b7fe562c3884eefaa37c4ed668474ed83405
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f6d8a5e53208c6eaa1cfd52045200b8e90ee4f1d0528bc744abf3fd09dc9c07c
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F4F03C38045304EBDB125F69ED5C7AD3BA1FB16323F188268F865A50F0C7308991DF64
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BB0F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: __freea$_free
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: a/p$am/pm
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 3432400110-3206640213
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 44b0aaa701b257bbda308815b724cf76fe7f393fc7f1faafa7b405e67f3fcb12
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 24663b04b945c00d8df2b1155fa898ffcdfc9c4b878afc34940e80bf6d25d001
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 44b0aaa701b257bbda308815b724cf76fe7f393fc7f1faafa7b405e67f3fcb12
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B0D1C331900205EBDB249F6CC8A5BFAB7F5EF05700F9849D9E501AB650E3B59D80CB65
                                                                                                                                                                                                                                                                                                                                                                                  Function 00C07B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BA0242: EnterCriticalSection.KERNEL32(00C5070C,00C51884,?,?,00B9198B,00C52518,?,?,?,00B812F9,00000000), ref: 00BA024D
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BA0242: LeaveCriticalSection.KERNEL32(00C5070C,?,00B9198B,00C52518,?,?,?,00B812F9,00000000), ref: 00BA028A
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00B89CB3: _wcslen.LIBCMT ref: 00B89CBD
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BA00A3: __onexit.LIBCMT ref: 00BA00A9
                                                                                                                                                                                                                                                                                                                                                                                  • __Init_thread_footer.LIBCMT ref: 00C07BFB
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BA01F8: EnterCriticalSection.KERNEL32(00C5070C,?,?,00B98747,00C52514), ref: 00BA0202
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BA01F8: LeaveCriticalSection.KERNEL32(00C5070C,?,00B98747,00C52514), ref: 00BA0235
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: 5$G$Variable must be of type 'Object'.
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 535116098-3733170431
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 347c4910f9cae7a2b12f3690a6673b227b1ba9d9079479f33e744f09763b213c
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: c0b7502f23d9bb21a070b4137fad3435f9d85aa86c2e4a947f710bd4e40300fe
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 347c4910f9cae7a2b12f3690a6673b227b1ba9d9079479f33e744f09763b213c
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B6919D74A04209EFCB18EF54D8919BDB7B1FF45300F108199F816AB2A1DB31AE85DB50
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BB172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\kjDPynh9vQ.exe,00000104), ref: 00BB1769
                                                                                                                                                                                                                                                                                                                                                                                  • _free.LIBCMT ref: 00BB1834
                                                                                                                                                                                                                                                                                                                                                                                  • _free.LIBCMT ref: 00BB183E
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: _free$FileModuleName
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: C:\Users\user\Desktop\kjDPynh9vQ.exe
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 2506810119-2465117285
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: bdd586ceb04542a10defc41bb98139c9f8555acd9a3fffd011d13aa009abf32f
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 0c054dc0fab29aeee79790b064190e942d4b6cec3b23dd3fe39e6ae48b8ad01f
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: bdd586ceb04542a10defc41bb98139c9f8555acd9a3fffd011d13aa009abf32f
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1A316175A40218ABDB21DB99DC95EEEBBFCEB85310F5445E6F804E7211DAB08E40CB90
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BEC27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00BEC306
                                                                                                                                                                                                                                                                                                                                                                                  • DeleteMenu.USER32(?,00000007,00000000), ref: 00BEC34C
                                                                                                                                                                                                                                                                                                                                                                                  • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00C51990,011B5330), ref: 00BEC395
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: Menu$Delete$InfoItem
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: 0
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 135850232-4108050209
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 9525ec21fc1307f7bc7498886110e659492ee77cc2ebd5d9fbab0d9a2e673064
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 4a53bd4481f4517bc967e7dc8f7a076e3a41d0b076896a9a1fe3aacdcfc94597
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9525ec21fc1307f7bc7498886110e659492ee77cc2ebd5d9fbab0d9a2e673064
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: AF41B1312043819FDB20DF26D884F5ABBE8EF85310F14869DF9A5972D2D730E905CB6A
                                                                                                                                                                                                                                                                                                                                                                                  Function 00C14416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00C1CC08,00000000,?,?,?,?), ref: 00C144AA
                                                                                                                                                                                                                                                                                                                                                                                  • GetWindowLongW.USER32 ref: 00C144C7
                                                                                                                                                                                                                                                                                                                                                                                  • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00C144D7
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: Window$Long
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: SysTreeView32
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 847901565-1698111956
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 72ee529f8ba8c150b2467541f63e9d55586e10f3b907fcd0688003b3bb17a5f5
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 39b34a2aaf344648fc22aed6d1fe1967146b9c10b66ec4bf60f3ab7edc1f808d
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 72ee529f8ba8c150b2467541f63e9d55586e10f3b907fcd0688003b3bb17a5f5
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 80318F71210205AFDF249F38DC45BDA77AAEB0A334F204725F975921E0D770ED91A750
                                                                                                                                                                                                                                                                                                                                                                                  Function 00C0304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00C0335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00C03077,?,?), ref: 00C03378
                                                                                                                                                                                                                                                                                                                                                                                  • inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00C0307A
                                                                                                                                                                                                                                                                                                                                                                                  • _wcslen.LIBCMT ref: 00C0309B
                                                                                                                                                                                                                                                                                                                                                                                  • htons.WSOCK32(00000000,?,?,00000000), ref: 00C03106
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: ByteCharMultiWide_wcslenhtonsinet_addr
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: 255.255.255.255
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 946324512-2422070025
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: aac368bbbbd08de0f115d122a174792f7d70a8f3a5a3ca5e5e991b2e2b8f80b8
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: fe90ed8fd25f2f09f29b84185dbf16892d0f627b428ce067649eaa143c7b6d27
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: aac368bbbbd08de0f115d122a174792f7d70a8f3a5a3ca5e5e991b2e2b8f80b8
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E431F3392042819FDB10CF29C485EAA77F8EF55318F248099E9258B3E2CB32EF41C760
                                                                                                                                                                                                                                                                                                                                                                                  Function 00C14653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00C14705
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00C14713
                                                                                                                                                                                                                                                                                                                                                                                  • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00C1471A
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: MessageSend$DestroyWindow
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: msctls_updown32
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 4014797782-2298589950
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: cc70d5c64b43fe5b91f90c876affd499a1eb5a24625cdafe805f5d0e094a935b
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 55b6f1a5e752bd319cf232311c49fbf1bd5b525f16b3566dda5e2f5965e7a32b
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: cc70d5c64b43fe5b91f90c876affd499a1eb5a24625cdafe805f5d0e094a935b
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 882162B5600204AFDB14DF64DCC5EAB37EDEB4B764B140059F91097291CB71ED51DB60
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BE95AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: _wcslen
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 176396367-2734436370
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 13f75ffcf41ed74a3bc422b5f50d334f71431fde91ec0d8d58a7d1f96a2be714
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 737254e5c149852aed3bf7116e0aa064d55fec1c98202e1a4f89e1c132373964
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 13f75ffcf41ed74a3bc422b5f50d334f71431fde91ec0d8d58a7d1f96a2be714
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E8218B72248691ABC331BB269C02FBB73E8DFA2300F1044BAF94997041EB64DD89C395
                                                                                                                                                                                                                                                                                                                                                                                  Function 00C137B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00C13840
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00C13850
                                                                                                                                                                                                                                                                                                                                                                                  • MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00C13876
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: MessageSend$MoveWindow
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: Listbox
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 3315199576-2633736733
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: abd72a880ded4a7088c66922691cc94ab7f09d33f2f653729e3d5c1055380f12
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: c795b52e0b9290ebb00c9d5fc6c2fc901558c489ffd6ee8efb4a881ae4bb292a
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: abd72a880ded4a7088c66922691cc94ab7f09d33f2f653729e3d5c1055380f12
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A521AC72600218BBEF218F54CC85FEB376AEF8A758F118125F9109B1D0C671DD9297A0
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BE223F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 83windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00BE2258
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00B86B57: _wcslen.LIBCMT ref: 00B86B6A
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00BE228A
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00BE22CA
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: MessageSend$_wcslen
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: @U=u
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 763830540-2594219639
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 280f7898cf9dfd683d167381b485ec3f3e1fbdbc6a1f19fe61cfe46513886649
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: a86f14d258af56d8a4d38bf7016f9ebb4ae0bd692a5c98aadf86add66392da0d
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 280f7898cf9dfd683d167381b485ec3f3e1fbdbc6a1f19fe61cfe46513886649
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B721D731700244AFDB10AB568D8AFEE3BECEF59710F044064FA06E7190D770C9458BA1
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BF49F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • SetErrorMode.KERNEL32(00000001), ref: 00BF4A08
                                                                                                                                                                                                                                                                                                                                                                                  • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00BF4A5C
                                                                                                                                                                                                                                                                                                                                                                                  • SetErrorMode.KERNEL32(00000000,?,?,00C1CC08), ref: 00BF4AD0
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: ErrorMode$InformationVolume
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: %lu
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 2507767853-685833217
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: de10e33e4417ce695c042063fac4f3d45efa646274a2db921de24ef297146ef1
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 7bd93c5d642599aa488e1bcf5d91e66cd17bb7c8fb6b1836cd0c2cd0f1170569
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: de10e33e4417ce695c042063fac4f3d45efa646274a2db921de24ef297146ef1
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A5312F75A40109AFDB10DF54C985EAE7BF8EF09308F1480A9F909DB262D771ED45CB61
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BE1B2C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(?,000000B0,?,?), ref: 00BE1B4F
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00BE1B61
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(?,0000000D,?,00000000), ref: 00BE1B99
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: MessageSend
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: @U=u
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 3850602802-2594219639
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 217e8eb795145f301dcbfd2e96c4193da0b3e5fbb9f6e4ff9c90f93e73b57384
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 131a8d087a164d9a21eee50920d1df08a208199cd700d6c08e6dd7ae3dc27e96
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 217e8eb795145f301dcbfd2e96c4193da0b3e5fbb9f6e4ff9c90f93e73b57384
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: FE216F32600159BFDB15DBADC941AEEB7E9EF45350F2008AAE105E7290DB71AE408B94
                                                                                                                                                                                                                                                                                                                                                                                  Function 00C00CD5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 69windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(00000402,00000000,00000000), ref: 00C00D24
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(0000000C,00000000,?), ref: 00C00D65
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(0000000C,00000000,?), ref: 00C00D8D
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: MessageSend
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: @U=u
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 3850602802-2594219639
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 5debc36b0dfd51ac38c99403299062d3de43158ecd9443926b8bf77496c92d25
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 26a777592e165f67ad6e90255c30feb0431e24dc9b36f5e856e1b13cbb5d6127
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5debc36b0dfd51ac38c99403299062d3de43158ecd9443926b8bf77496c92d25
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F0219A75200A00AFD700EB64D9A5F6AB7E6FF1A710B118495F9199BAB1CB30FC50CBA0
                                                                                                                                                                                                                                                                                                                                                                                  Function 00C141EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00C1424F
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00C14264
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00C14271
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: MessageSend
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: msctls_trackbar32
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 3850602802-1010561917
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: ca3d6121964af740164b626fd2dfcb8fe674f45e5f748ea2da8e53591d197150
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: ff326e3ebd92322f6d205b7c99140183b2b61101a46ad18403a7ad04d1ff4198
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ca3d6121964af740164b626fd2dfcb8fe674f45e5f748ea2da8e53591d197150
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0811C671240248BEEF205F69CC46FEB3BACEF96B54F110524FA55E60A0D671DCA1EB10
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BE2F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00B86B57: _wcslen.LIBCMT ref: 00B86B6A
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BE2DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00BE2DC5
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BE2DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00BE2DD6
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BE2DA7: GetCurrentThreadId.KERNEL32 ref: 00BE2DDD
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BE2DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00BE2DE4
                                                                                                                                                                                                                                                                                                                                                                                  • GetFocus.USER32 ref: 00BE2F78
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BE2DEE: GetParent.USER32(00000000), ref: 00BE2DF9
                                                                                                                                                                                                                                                                                                                                                                                  • GetClassNameW.USER32(?,?,00000100), ref: 00BE2FC3
                                                                                                                                                                                                                                                                                                                                                                                  • EnumChildWindows.USER32(?,00BE303B), ref: 00BE2FEB
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: %s%d
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 1272988791-1110647743
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: d723012fe2ca52e2a1f53d74a135483ab5a7bcacdc15dc965488818b559f0522
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 3f4a4e7f94d474f1086f1bca66619607a2b8ce04c53e8b38f7e06ffd7d3471ce
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d723012fe2ca52e2a1f53d74a135483ab5a7bcacdc15dc965488818b559f0522
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5911A2756002456BDF157F618CCAFEE37EAAF94314F0480B5BA099B163DF309945CB60
                                                                                                                                                                                                                                                                                                                                                                                  Function 00C13429 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 64windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • GetWindowTextLengthW.USER32(00000000), ref: 00C134AB
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00C134BA
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: LengthMessageSendTextWindow
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: @U=u$edit
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 2978978980-590756393
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 890b4ad2084136ca96dfb77e4aabc514139911b5280e2af6646be42baad0bb13
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 5c6564e47447947f8c46e140627493ec972ebbe108db4ce344b1946af5084422
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 890b4ad2084136ca96dfb77e4aabc514139911b5280e2af6646be42baad0bb13
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: DB11BF71100248AFEB228E64DC84BEB3BAAEB16378F504324F971931E0C731DE91AB50
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BE1CDE Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 52windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00B89CB3: _wcslen.LIBCMT ref: 00B89CBD
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BE3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00BE3CCA
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00BE1D4C
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: ClassMessageNameSend_wcslen
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: @U=u$ComboBox$ListBox
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 624084870-2258501812
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 6ec0e37d3c07b2c2974b82c4aaffd2ab2c09e6b1c257d2248128b8291815a665
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: cdbfe5b1ddfc21d3611dcf3cbc8ed7f650837dd2e972952681afedc8f960fb43
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6ec0e37d3c07b2c2974b82c4aaffd2ab2c09e6b1c257d2248128b8291815a665
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C001B571601218ABCB04FBA5CC559FE73E8FB46750B2449A9B822673D1EB315908C760
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BE1BD8 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 50windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00B89CB3: _wcslen.LIBCMT ref: 00B89CBD
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BE3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00BE3CCA
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00000180,00000000,?), ref: 00BE1C46
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: ClassMessageNameSend_wcslen
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: @U=u$ComboBox$ListBox
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 624084870-2258501812
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 4571ad4e8f34b670abda380ce7e59d86e21bb9a9cd9db80222203c24bbcbac00
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 27f8ee2bf12c599539f898b7e8e9522f36d0d471e30bee9a3e7981b215e068b8
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4571ad4e8f34b670abda380ce7e59d86e21bb9a9cd9db80222203c24bbcbac00
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 950184756811446BCF04FB95C955AFF77E8DB11740F3404A9B416B7392EB219A08C7B1
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BE1C5C Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 49windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00B89CB3: _wcslen.LIBCMT ref: 00B89CBD
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BE3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00BE3CCA
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00000182,?,00000000), ref: 00BE1CC8
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: ClassMessageNameSend_wcslen
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: @U=u$ComboBox$ListBox
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 624084870-2258501812
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: c129d9602ee92851d10401474c82af8a6e250f788d21c4b33155145cd91020e8
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 5b3f7560ef5f2f54e8d5195be86dfe438b9618970231ff59c731a990986244ab
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c129d9602ee92851d10401474c82af8a6e250f788d21c4b33155145cd91020e8
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E4018F7168125867CF04EBA5CA45AFE73E8EB11780F340495B802B7392EB219E48C771
                                                                                                                                                                                                                                                                                                                                                                                  Function 00C15882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00C158C1
                                                                                                                                                                                                                                                                                                                                                                                  • SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00C158EE
                                                                                                                                                                                                                                                                                                                                                                                  • DrawMenuBar.USER32(?), ref: 00C158FD
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: Menu$InfoItem$Draw
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: 0
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 3227129158-4108050209
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 0c233c2ba76ed2656b973019023355db9c26d2db9bd38b19fd92ddbd421dbc9b
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 3c216bf51136b44f0689bf96c21c8a153af59824cb826f3139e43479ed22d98d
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0c233c2ba76ed2656b973019023355db9c26d2db9bd38b19fd92ddbd421dbc9b
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: AA015731600218EFDB219F11DC44BEEBBB9FB86360F1080A9F849D6151DB308A85EF21
                                                                                                                                                                                                                                                                                                                                                                                  Function 00C17803 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • GetForegroundWindow.USER32(?,00C518B0,00C1A364,000000FC,?,00000000,00000000,?,?,?,00BD76CF,?,?,?,?,?), ref: 00C17805
                                                                                                                                                                                                                                                                                                                                                                                  • GetFocus.USER32 ref: 00C1780D
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00B99BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00B99BB2
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00B99944: GetWindowLongW.USER32(?,000000EB), ref: 00B99952
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(?,000000B0,000001BC,000001C0), ref: 00C1787A
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: Window$Long$FocusForegroundMessageSend
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: @U=u
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 3601265619-2594219639
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 2db3d8f7f12e60de0f41f4cbea54c7464cf0f66219293c37353cd1b644984b23
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: e79b2dee1c5edbd97ca4099e06a7b5581c8ef54f0df0ef7e79c313bc41067c2e
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2db3d8f7f12e60de0f41f4cbea54c7464cf0f66219293c37353cd1b644984b23
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: BE015E355012108FD725DB28D85CBAA33F5AF8A320B18026DE425972E0CB316D96CB40
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BE007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 7fb71664debc15a42daaa98364c73b714d6f986953f44ce86413d3a2ddc57403
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 143ae1b6984dd72b6400f878ba6bc53c7d5d04be00084c9a17cb7da6f6f3f0d4
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7fb71664debc15a42daaa98364c73b714d6f986953f44ce86413d3a2ddc57403
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: BAC15875A1024AEFCB14DFA9C894AAEB7F5FF48304F208598E505EB251D771EE81CB90
                                                                                                                                                                                                                                                                                                                                                                                  Function 00C0342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: Variant$ClearInitInitializeUninitialize
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 1998397398-0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 416b9c3095c8cdd713e6407835c22c0c718a37e62702c8b3c9c6b4c22a460491
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 54d16d31c4d5e7d3cc1711564368a76e26cba511cb2afaa4242271172caf8fc0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 416b9c3095c8cdd713e6407835c22c0c718a37e62702c8b3c9c6b4c22a460491
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F1A171756143009FC700EF28C495A6AB7E9FF88714F14889DF9599B3A2DB31EE01CB51
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BE0436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00C1FC08,?), ref: 00BE05F0
                                                                                                                                                                                                                                                                                                                                                                                  • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00C1FC08,?), ref: 00BE0608
                                                                                                                                                                                                                                                                                                                                                                                  • CLSIDFromProgID.OLE32(?,?,00000000,00C1CC40,000000FF,?,00000000,00000800,00000000,?,00C1FC08,?), ref: 00BE062D
                                                                                                                                                                                                                                                                                                                                                                                  • _memcmp.LIBVCRUNTIME ref: 00BE064E
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: FromProg$FreeTask_memcmp
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 314563124-0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 54d924f3d8d855966b1e11db273f544ff3fc6664d969f0424951a22bd8fedee8
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 451f1f67039c43121b10799e54cfa8973d7bd9041cbca3fe60d1e5c26ffc3f86
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 54d924f3d8d855966b1e11db273f544ff3fc6664d969f0424951a22bd8fedee8
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C6810871A10109EFCB04DF94C984EEEB7F9FF89315F208598E516AB250DB71AE46CB60
                                                                                                                                                                                                                                                                                                                                                                                  Function 00C0A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • CreateToolhelp32Snapshot.KERNEL32 ref: 00C0A6AC
                                                                                                                                                                                                                                                                                                                                                                                  • Process32FirstW.KERNEL32(00000000,?), ref: 00C0A6BA
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00B89CB3: _wcslen.LIBCMT ref: 00B89CBD
                                                                                                                                                                                                                                                                                                                                                                                  • Process32NextW.KERNEL32(00000000,?), ref: 00C0A79C
                                                                                                                                                                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 00C0A7AB
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00B9CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00BC3303,?), ref: 00B9CE8A
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 1991900642-0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: a3e05bcb16b45d1cad862054f397ff7413af30a91e3e118b3cadb66deb783253
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: dabee961ebe5fe91d073f87015303f8e062872398d9dca441947f9bb0b476ba5
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a3e05bcb16b45d1cad862054f397ff7413af30a91e3e118b3cadb66deb783253
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3D514BB1508311AFD710EF24D886A6FBBE8FF89754F00896DF595972A1EB30D904CB92
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BC1391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: _free
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 269201875-0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 6216ce970fa4cda2b990200dc07fc609cdd6290a6fc5488e50166fcb8e8174ba
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 6d007ef721a1326dad92abd6793f985051e2b1a383a6eddf099bcc1216f3316b
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6216ce970fa4cda2b990200dc07fc609cdd6290a6fc5488e50166fcb8e8174ba
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4541E731600601ABDB296BBD8C85FFE3AE5EF43360F244AE9F419F6393E67448415A61
                                                                                                                                                                                                                                                                                                                                                                                  Function 00C01AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • socket.WSOCK32(00000002,00000002,00000011), ref: 00C01AFD
                                                                                                                                                                                                                                                                                                                                                                                  • WSAGetLastError.WSOCK32 ref: 00C01B0B
                                                                                                                                                                                                                                                                                                                                                                                  • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00C01B8A
                                                                                                                                                                                                                                                                                                                                                                                  • WSAGetLastError.WSOCK32 ref: 00C01B94
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: ErrorLast$socket
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 1881357543-0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 3ae76800ccfd9889e3f81f10923e0d78ab4fc1b32afe1c40dc3b3e462f273764
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 45be89e67eb921a811c75d1d42f833eae5bdb87db32e154359e3eecceece7a82
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3ae76800ccfd9889e3f81f10923e0d78ab4fc1b32afe1c40dc3b3e462f273764
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C9418174640200AFE720AF24C886F6977E5AF44718F58C498FA2A9F7D2D772DD41CB90
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BBB41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 254ac6e49a62f4b55da0b9a0835f26d85709d45b860984a07f2af1087336e272
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: c0f55eba74e345d408bfb56fad4701f6b20c49c425601b29ab71e406674be8ca
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 254ac6e49a62f4b55da0b9a0835f26d85709d45b860984a07f2af1087336e272
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1641D171A00714AFD724AF78C841FFABBE9EB89710F1046AEF146DB682D7F199018780
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BF56D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00BF5783
                                                                                                                                                                                                                                                                                                                                                                                  • GetLastError.KERNEL32(?,00000000), ref: 00BF57A9
                                                                                                                                                                                                                                                                                                                                                                                  • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00BF57CE
                                                                                                                                                                                                                                                                                                                                                                                  • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00BF57FA
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: CreateHardLink$DeleteErrorFileLast
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 3321077145-0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 4899a34c17aa79656e30fcf5425dd5343515b739e9fd2132f64711d491bb5ff9
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: f7b522aa6919d969dba2cad9c9618dad13349a6b1f9485eb837a8d17b240ba4b
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4899a34c17aa79656e30fcf5425dd5343515b739e9fd2132f64711d491bb5ff9
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 60410939600610DFCB11EF15C494A5DBBE1EF59724B188488E95AAB372CB30FD44CB91
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BBD8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,00BA6D71,00000000,00000000,00BA82D9,?,00BA82D9,?,00000001,00BA6D71,8BE85006,00000001,00BA82D9,00BA82D9), ref: 00BBD910
                                                                                                                                                                                                                                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00BBD999
                                                                                                                                                                                                                                                                                                                                                                                  • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00BBD9AB
                                                                                                                                                                                                                                                                                                                                                                                  • __freea.LIBCMT ref: 00BBD9B4
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BB3820: RtlAllocateHeap.NTDLL(00000000,?,00C51444,?,00B9FDF5,?,?,00B8A976,00000010,00C51440,00B813FC,?,00B813C6,?,00B81129), ref: 00BB3852
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 2652629310-0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: c08020fee40f84c42ab3379a8244dd7cb6e64fc44577615c34441c37e535157e
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: cf1a14495cdd00151e8207b0d50360e32a68b2bedbbcccdbd09b011add04ef7c
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c08020fee40f84c42ab3379a8244dd7cb6e64fc44577615c34441c37e535157e
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: DB31AB72A0020AABDF249F64DC85EFE7BE5EB41710F1542A8FC44D6260EB79CD54CBA0
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BEAB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • GetKeyboardState.USER32(?,753DC0D0,?,00008000), ref: 00BEABF1
                                                                                                                                                                                                                                                                                                                                                                                  • SetKeyboardState.USER32(00000080,?,00008000), ref: 00BEAC0D
                                                                                                                                                                                                                                                                                                                                                                                  • PostMessageW.USER32(00000000,00000101,00000000), ref: 00BEAC74
                                                                                                                                                                                                                                                                                                                                                                                  • SendInput.USER32(00000001,?,0000001C,753DC0D0,?,00008000), ref: 00BEACC6
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: KeyboardState$InputMessagePostSend
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 432972143-0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: cb111947127a8cf9e0ca2fd3cc20000a189497613163abe82a972dbe06499a5a
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: d6fae345288230dc9bd913f2b704f083e794da9f6841e2036ad3c3c789ebd93e
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: cb111947127a8cf9e0ca2fd3cc20000a189497613163abe82a972dbe06499a5a
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 38311430A403986FEB348B668C447FE7BE9EB89310F28439AF485923D0C374A9858752
                                                                                                                                                                                                                                                                                                                                                                                  Function 00C17674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • ClientToScreen.USER32(?,?), ref: 00C1769A
                                                                                                                                                                                                                                                                                                                                                                                  • GetWindowRect.USER32(?,?), ref: 00C17710
                                                                                                                                                                                                                                                                                                                                                                                  • PtInRect.USER32(?,?,00C18B89), ref: 00C17720
                                                                                                                                                                                                                                                                                                                                                                                  • MessageBeep.USER32(00000000), ref: 00C1778C
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: Rect$BeepClientMessageScreenWindow
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 1352109105-0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 9a1004fd9fb53b77c279f092e50e272279c313898d7e0ad15ec73d4aa6529b63
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 4a1b5d9a46f0fff5a2a95e044dce962fb538d0076c94e58b88659173f1eea6b3
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9a1004fd9fb53b77c279f092e50e272279c313898d7e0ad15ec73d4aa6529b63
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 40415378605214DFCB12CF58C894FEDB7F5BB46315F1942A9E8249B2A1C730EA81DBD0
                                                                                                                                                                                                                                                                                                                                                                                  Function 00C116DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • GetForegroundWindow.USER32 ref: 00C116EB
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BE3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00BE3A57
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BE3A3D: GetCurrentThreadId.KERNEL32 ref: 00BE3A5E
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BE3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00BE25B3), ref: 00BE3A65
                                                                                                                                                                                                                                                                                                                                                                                  • GetCaretPos.USER32(?), ref: 00C116FF
                                                                                                                                                                                                                                                                                                                                                                                  • ClientToScreen.USER32(00000000,?), ref: 00C1174C
                                                                                                                                                                                                                                                                                                                                                                                  • GetForegroundWindow.USER32 ref: 00C11752
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 2759813231-0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 7a57992756428b5953f8d91321cc270053cdd4dbdbb8d14265feb906e8107d07
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: dff61ae2f41d241c390de2da845c5d1b7a24e7ae7cd0ef3726b2b6b0057458d3
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7a57992756428b5953f8d91321cc270053cdd4dbdbb8d14265feb906e8107d07
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3C315071D00149AFD700EFAAC881DEEBBF9EF49304B5480A9E515E7251DB35DE45CBA0
                                                                                                                                                                                                                                                                                                                                                                                  Function 00C18FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00B99BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00B99BB2
                                                                                                                                                                                                                                                                                                                                                                                  • GetCursorPos.USER32(?), ref: 00C19001
                                                                                                                                                                                                                                                                                                                                                                                  • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00BD7711,?,?,?,?,?), ref: 00C19016
                                                                                                                                                                                                                                                                                                                                                                                  • GetCursorPos.USER32(?), ref: 00C1905E
                                                                                                                                                                                                                                                                                                                                                                                  • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00BD7711,?,?,?), ref: 00C19094
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: Cursor$LongMenuPopupProcTrackWindow
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 2864067406-0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: a1040991c3f32a7d4d2dc480533b0f23c1036e60c7816697c02b7cfc9ad73851
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: cf7caad6f137af2c25f434e019033a74d14845a6352dbdfcdd82ae1b8d0aeb46
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a1040991c3f32a7d4d2dc480533b0f23c1036e60c7816697c02b7cfc9ad73851
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 20216D35600118AFDB25CF94C8A8FEE7BB9FB4E361F144069F91557261C7319EA0EB60
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BED2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • GetFileAttributesW.KERNEL32(?,00C1CB68), ref: 00BED2FB
                                                                                                                                                                                                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00BED30A
                                                                                                                                                                                                                                                                                                                                                                                  • CreateDirectoryW.KERNEL32(?,00000000), ref: 00BED319
                                                                                                                                                                                                                                                                                                                                                                                  • CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00C1CB68), ref: 00BED376
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: CreateDirectory$AttributesErrorFileLast
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 2267087916-0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 47ec9b51000c362aaf7fa070c08c6676e6e10a2e3aae9bad4f9f115d76add783
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 2422fbdcf6b25b5100a8092e828bdad483d990bcab584a06162e0394478123d1
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 47ec9b51000c362aaf7fa070c08c6676e6e10a2e3aae9bad4f9f115d76add783
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7721E0745083019F8700EF29C8819AEB7E8FE5A364F504A9DF499C72E1EB30D946CB97
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BE1571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BE1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00BE102A
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BE1014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00BE1036
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BE1014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00BE1045
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BE1014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00BE104C
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BE1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00BE1062
                                                                                                                                                                                                                                                                                                                                                                                  • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00BE15BE
                                                                                                                                                                                                                                                                                                                                                                                  • _memcmp.LIBVCRUNTIME ref: 00BE15E1
                                                                                                                                                                                                                                                                                                                                                                                  • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00BE1617
                                                                                                                                                                                                                                                                                                                                                                                  • HeapFree.KERNEL32(00000000), ref: 00BE161E
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 1592001646-0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 5840c002c06ed4998e394340f71712216a3bb163519f90a8e18799e7c2ac1e96
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: fd9ad31f96b40ed91e6dc8a3504b8b248c65c7de284b08f61348435f7c952521
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5840c002c06ed4998e394340f71712216a3bb163519f90a8e18799e7c2ac1e96
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C6218E31E40108EFDF00DFA9C945BEEB7F8EF45354F288899E445A7241D730AA05CB90
                                                                                                                                                                                                                                                                                                                                                                                  Function 00C12782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • GetWindowLongW.USER32(?,000000EC), ref: 00C1280A
                                                                                                                                                                                                                                                                                                                                                                                  • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00C12824
                                                                                                                                                                                                                                                                                                                                                                                  • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00C12832
                                                                                                                                                                                                                                                                                                                                                                                  • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00C12840
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: Window$Long$AttributesLayered
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 2169480361-0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: acdc068e804b657df67ed58f8aec9b1cd2595c5627e8e0da6f85ab69300d75fb
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 0ffb3e90392eb45e7952c2e0d16308b9a0b0e95b11560d1a0d5192f3e7931b79
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: acdc068e804b657df67ed58f8aec9b1cd2595c5627e8e0da6f85ab69300d75fb
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: CD21CF39204111AFE7149B24C884FEA7B96AF86324F148158F4268B6E2CB71FD92DBD0
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BE78F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BE8D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,00BE790A,?,000000FF,?,00BE8754,00000000,?,0000001C,?,?), ref: 00BE8D8C
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BE8D7D: lstrcpyW.KERNEL32(00000000,?,?,00BE790A,?,000000FF,?,00BE8754,00000000,?,0000001C,?,?,00000000), ref: 00BE8DB2
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BE8D7D: lstrcmpiW.KERNEL32(00000000,?,00BE790A,?,000000FF,?,00BE8754,00000000,?,0000001C,?,?), ref: 00BE8DE3
                                                                                                                                                                                                                                                                                                                                                                                  • lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00BE8754,00000000,?,0000001C,?,?,00000000), ref: 00BE7923
                                                                                                                                                                                                                                                                                                                                                                                  • lstrcpyW.KERNEL32(00000000,?,?,00BE8754,00000000,?,0000001C,?,?,00000000), ref: 00BE7949
                                                                                                                                                                                                                                                                                                                                                                                  • lstrcmpiW.KERNEL32(00000002,cdecl,?,00BE8754,00000000,?,0000001C,?,?,00000000), ref: 00BE7984
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: lstrcmpilstrcpylstrlen
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: cdecl
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 4031866154-3896280584
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 7073359da403e3c2f5c8a1b0a0807d9802795da9b21da536d42a70068f303fe2
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: d673ed61fefbc413ce2a92727479726c2ec09bc87f2aa996a5d15af059ac0169
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7073359da403e3c2f5c8a1b0a0807d9802795da9b21da536d42a70068f303fe2
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2411063A240382BBCB159F35CC44E7A77E5FF45350B50806AF806C7265EF319801C751
                                                                                                                                                                                                                                                                                                                                                                                  Function 00C17CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • GetWindowLongW.USER32(?,000000F0), ref: 00C17D0B
                                                                                                                                                                                                                                                                                                                                                                                  • SetWindowLongW.USER32(00000000,000000F0,?), ref: 00C17D2A
                                                                                                                                                                                                                                                                                                                                                                                  • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00C17D42
                                                                                                                                                                                                                                                                                                                                                                                  • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00BFB7AD,00000000), ref: 00C17D6B
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00B99BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00B99BB2
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: Window$Long
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 847901565-0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: e4607a77ac4f2dd99115a3305515937d9c9d40934fd8cf9625a5eddb70d04967
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 5b3658a79804cafb35a13b17f4486bff0ab0de1819f87fc1a4ca1b292fb70585
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e4607a77ac4f2dd99115a3305515937d9c9d40934fd8cf9625a5eddb70d04967
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7011C035204618AFCB109F28DC08BEA3BA5BF46364B158724FC35D72F0D7308A90EB80
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BE1A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(?,000000B0,?,?), ref: 00BE1A47
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00BE1A59
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00BE1A6F
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00BE1A8A
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: MessageSend
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 3850602802-0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: b74ced959f036c0772b6bfb305cd98bc33220d3d536fc5d1fb11f60c26fb4a71
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 354a027e11dd35e36dadb4c3b32ffb421f51944116a637813ce2c65553e53990
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b74ced959f036c0772b6bfb305cd98bc33220d3d536fc5d1fb11f60c26fb4a71
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9B112A3A901219FFEB109BA9C985FADBBB8EB04750F2004A1E610B7290D7716E50DB94
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BEE1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 00BEE1FD
                                                                                                                                                                                                                                                                                                                                                                                  • MessageBoxW.USER32(?,?,?,?), ref: 00BEE230
                                                                                                                                                                                                                                                                                                                                                                                  • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00BEE246
                                                                                                                                                                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00BEE24D
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 2880819207-0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: fca688c430fe2e2349d4fb12f6a081876ca3a5d533fdc9a080f9d9c87c6ee6f4
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: ed9623798564f63f7739023060a97a99464c60c676d26690d4c6e3b6510b89cc
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: fca688c430fe2e2349d4fb12f6a081876ca3a5d533fdc9a080f9d9c87c6ee6f4
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4A11047A904354BBC7019FA89C49BEE7FECEB46321F148295F924E32A0D3B0C94487A0
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BAD1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • CreateThread.KERNEL32(00000000,?,00BACFF9,00000000,00000004,00000000), ref: 00BAD218
                                                                                                                                                                                                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00BAD224
                                                                                                                                                                                                                                                                                                                                                                                  • __dosmaperr.LIBCMT ref: 00BAD22B
                                                                                                                                                                                                                                                                                                                                                                                  • ResumeThread.KERNEL32(00000000), ref: 00BAD249
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: Thread$CreateErrorLastResume__dosmaperr
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 173952441-0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 5fcc256569a2f85e7a92486dc7a8b4628b03dd6612ccf8e41f8ec373013a957d
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: d15800517b4a11fd72bf3a5c136c33ee692e7f29dad91d437386747277919008
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5fcc256569a2f85e7a92486dc7a8b4628b03dd6612ccf8e41f8ec373013a957d
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: DD01D6764492047BC7216BA5DC49BEE7AE9EF83330F104299F926925E0DF71C905C6A0
                                                                                                                                                                                                                                                                                                                                                                                  Function 00B9990C Relevance: 6.1, APIs: 4, Instructions: 54COMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • GetSysColor.USER32(00000008), ref: 00B998CC
                                                                                                                                                                                                                                                                                                                                                                                  • SetTextColor.GDI32(?,?), ref: 00B998D6
                                                                                                                                                                                                                                                                                                                                                                                  • SetBkMode.GDI32(?,00000001), ref: 00B998E9
                                                                                                                                                                                                                                                                                                                                                                                  • GetStockObject.GDI32(00000005), ref: 00B998F1
                                                                                                                                                                                                                                                                                                                                                                                  • GetWindowLongW.USER32(?,000000EB), ref: 00B99952
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: Color$LongModeObjectStockTextWindow
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 1860813098-0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: f29c544488c26f893125e3d34e24b2d66ca5f72e5f13d672c8efc913922f709e
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 34b031bea07c0d5f9c41e7af5c286cfcdcdfc3c89fd61d80494f5149acf638e8
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f29c544488c26f893125e3d34e24b2d66ca5f72e5f13d672c8efc913922f709e
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C91129321862109FDF228F68EC98FEE3BA0EB57775B1841ADF5528B1B1D7314840C761
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BA3B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • ___BuildCatchObject.LIBVCRUNTIME ref: 00BA3B56
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BA3AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00BA3AD2
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BA3AA3: ___AdjustPointer.LIBCMT ref: 00BA3AED
                                                                                                                                                                                                                                                                                                                                                                                  • _UnwindNestedFrames.LIBCMT ref: 00BA3B6B
                                                                                                                                                                                                                                                                                                                                                                                  • __FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00BA3B7C
                                                                                                                                                                                                                                                                                                                                                                                  • CallCatchBlock.LIBVCRUNTIME ref: 00BA3BA4
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 737400349-0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 57b20c7602b1faaa44691760b05127aeded8010cd9d286c97f2de05289a76f96
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: CF012932104148BBDF125E95DC42EEB7FEAEF8AB54F044094FE4856121C776E961DBA0
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BB3073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00B813C6,00000000,00000000,?,00BB301A,00B813C6,00000000,00000000,00000000,?,00BB328B,00000006,FlsSetValue), ref: 00BB30A5
                                                                                                                                                                                                                                                                                                                                                                                  • GetLastError.KERNEL32(?,00BB301A,00B813C6,00000000,00000000,00000000,?,00BB328B,00000006,FlsSetValue,00C22290,FlsSetValue,00000000,00000364,?,00BB2E46), ref: 00BB30B1
                                                                                                                                                                                                                                                                                                                                                                                  • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00BB301A,00B813C6,00000000,00000000,00000000,?,00BB328B,00000006,FlsSetValue,00C22290,FlsSetValue,00000000), ref: 00BB30BF
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: LibraryLoad$ErrorLast
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 3177248105-0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: cb00ec62b57674aca49c5dbc4c62ac5241a6e46ec86a46221396970d112ccdd6
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: dd26f03ce718cd3b462eaa7dd685fee170bf38fad298880324de723cbd8e0500
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: cb00ec62b57674aca49c5dbc4c62ac5241a6e46ec86a46221396970d112ccdd6
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0401D836745222ABC7315A789C84BFB77D8EF05F61B644660F915E3140C7A1D901C6D0
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BE7464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 00BE747F
                                                                                                                                                                                                                                                                                                                                                                                  • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00BE7497
                                                                                                                                                                                                                                                                                                                                                                                  • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00BE74AC
                                                                                                                                                                                                                                                                                                                                                                                  • RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 00BE74CA
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: Type$Register$FileLoadModuleNameUser
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 1352324309-0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 7ce1583fd6d4f73de91bb0b47a2aedd499fd340bf0c5aa3fa1358064beca2d57
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 41e3e92c72a223971a5a2d1a7174450686e1afb331b2d985bd4f2640f5cf7f9c
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7ce1583fd6d4f73de91bb0b47a2aedd499fd340bf0c5aa3fa1358064beca2d57
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6411A1B5289354ABE7208F15EC48FA67BFCFB00B00F10C5A9B616D6291DB70E904DB90
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BEB0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00BEACD3,?,00008000), ref: 00BEB0C4
                                                                                                                                                                                                                                                                                                                                                                                  • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00BEACD3,?,00008000), ref: 00BEB0E9
                                                                                                                                                                                                                                                                                                                                                                                  • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00BEACD3,?,00008000), ref: 00BEB0F3
                                                                                                                                                                                                                                                                                                                                                                                  • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00BEACD3,?,00008000), ref: 00BEB126
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: CounterPerformanceQuerySleep
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 2875609808-0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: cb73de5e27ceafa8537fdd2b263d7345e862df6ec3c0837e2cb14eedf77dd694
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: f801130c185268371dd7b2323adf7a9443eaee9c5b8c4d1019c0a37619576dd5
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: cb73de5e27ceafa8537fdd2b263d7345e862df6ec3c0837e2cb14eedf77dd694
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0D113C31C41658E7CF00AFE5E998BEFBBB8FF0A721F108095E941B2141CB3095509B52
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BE2DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00BE2DC5
                                                                                                                                                                                                                                                                                                                                                                                  • GetWindowThreadProcessId.USER32(?,00000000), ref: 00BE2DD6
                                                                                                                                                                                                                                                                                                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 00BE2DDD
                                                                                                                                                                                                                                                                                                                                                                                  • AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00BE2DE4
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 2710830443-0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 52aa82573527c5d88ac9bdf71832723dfbe0bdcb2d6e7d17c66f2c8faf2c3caf
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: d1f6d40375eb1fe3e2281a3420b2c596e37348f216ada2976d3f48553c0b7555
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 52aa82573527c5d88ac9bdf71832723dfbe0bdcb2d6e7d17c66f2c8faf2c3caf
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5CE06D71581224BAD7201B639C8DFEF3EACFB43BA1F008165B605D1080DAA0C841C6B0
                                                                                                                                                                                                                                                                                                                                                                                  Function 00C18863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00B99639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00B99693
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00B99639: SelectObject.GDI32(?,00000000), ref: 00B996A2
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00B99639: BeginPath.GDI32(?), ref: 00B996B9
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00B99639: SelectObject.GDI32(?,00000000), ref: 00B996E2
                                                                                                                                                                                                                                                                                                                                                                                  • MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00C18887
                                                                                                                                                                                                                                                                                                                                                                                  • LineTo.GDI32(?,?,?), ref: 00C18894
                                                                                                                                                                                                                                                                                                                                                                                  • EndPath.GDI32(?), ref: 00C188A4
                                                                                                                                                                                                                                                                                                                                                                                  • StrokePath.GDI32(?), ref: 00C188B2
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 1539411459-0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 76cf27f2e5eef204d0e5099dd30a4c5b668c3259c139e07132b3f709c371eb41
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: c3d89ff00a51820a2612048135b63c982c86f1e96b28501da44cf9daa1a4d2dd
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 76cf27f2e5eef204d0e5099dd30a4c5b668c3259c139e07132b3f709c371eb41
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D1F03A36085258BAEB125F94AC0EFCE3B59AF0B711F048040FA11650E1C7755651DBE9
                                                                                                                                                                                                                                                                                                                                                                                  Function 00B998B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • GetSysColor.USER32(00000008), ref: 00B998CC
                                                                                                                                                                                                                                                                                                                                                                                  • SetTextColor.GDI32(?,?), ref: 00B998D6
                                                                                                                                                                                                                                                                                                                                                                                  • SetBkMode.GDI32(?,00000001), ref: 00B998E9
                                                                                                                                                                                                                                                                                                                                                                                  • GetStockObject.GDI32(00000005), ref: 00B998F1
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: Color$ModeObjectStockText
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 4037423528-0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: bba26b41902082e2f259a17647018b8fff7ee01a2575e85935a03df63bd35aee
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 6bc85ddb6fdc3df0c1609d7694a8ced75ae431ddd78eb02ba67997f81c791a32
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: bba26b41902082e2f259a17647018b8fff7ee01a2575e85935a03df63bd35aee
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1AE039312C4280AAEB215B78AC49BEC7B61FB13336F24C25AF6BA581E1D77146409B11
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BE162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • GetCurrentThread.KERNEL32 ref: 00BE1634
                                                                                                                                                                                                                                                                                                                                                                                  • OpenThreadToken.ADVAPI32(00000000,?,?,?,00BE11D9), ref: 00BE163B
                                                                                                                                                                                                                                                                                                                                                                                  • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00BE11D9), ref: 00BE1648
                                                                                                                                                                                                                                                                                                                                                                                  • OpenProcessToken.ADVAPI32(00000000,?,?,?,00BE11D9), ref: 00BE164F
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: CurrentOpenProcessThreadToken
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 3974789173-0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 68d91466b8057518859e796953483821aff0af7d2466e6b995fd3addd7d5e9dd
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: b741b56692405c55f1423bef08c22ba44047ed3a2f8a6272f90285fd473e3929
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 68d91466b8057518859e796953483821aff0af7d2466e6b995fd3addd7d5e9dd
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4CE04F31641211DFD7201BA59D4DBCA3BB8FF46791F14CC48F245C9090D73445418750
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BDD858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • GetDesktopWindow.USER32 ref: 00BDD858
                                                                                                                                                                                                                                                                                                                                                                                  • GetDC.USER32(00000000), ref: 00BDD862
                                                                                                                                                                                                                                                                                                                                                                                  • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00BDD882
                                                                                                                                                                                                                                                                                                                                                                                  • ReleaseDC.USER32(?), ref: 00BDD8A3
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: CapsDesktopDeviceReleaseWindow
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 2889604237-0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 010e8bff812fb2aee14f121d75b89a6c495d969788f8920e331e504bfcc5eced
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 2e98fd68761ed00c9f5ffde3cc87e690ce47d98773a27b7145671e6ca09f8571
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 010e8bff812fb2aee14f121d75b89a6c495d969788f8920e331e504bfcc5eced
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 81E01AB4840204EFCF41AFA0D8887ADBBF1FB09310F10D059F85AE7250C7384901AF50
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BDD86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • GetDesktopWindow.USER32 ref: 00BDD86C
                                                                                                                                                                                                                                                                                                                                                                                  • GetDC.USER32(00000000), ref: 00BDD876
                                                                                                                                                                                                                                                                                                                                                                                  • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00BDD882
                                                                                                                                                                                                                                                                                                                                                                                  • ReleaseDC.USER32(?), ref: 00BDD8A3
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: CapsDesktopDeviceReleaseWindow
                                                                                                                                                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 2889604237-0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 33a384c7727014620e3e823168dc23f562864575aa7c3352148025beca75dd9d
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: ed971406979b40b8d25efcf6310ea3d74b53e6d28147ee1118d718482d3a37c4
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 33a384c7727014620e3e823168dc23f562864575aa7c3352148025beca75dd9d
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 40E092B5C40204EFCF51AFA1D8887ADBBF5BB09311B14D459F95AE7260CB385A05AF50
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BF4D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00B87620: _wcslen.LIBCMT ref: 00B87625
                                                                                                                                                                                                                                                                                                                                                                                  • WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00BF4ED4
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: Connection_wcslen
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: *$LPT
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 1725874428-3443410124
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 3334b2b54e433e3dc6b59eadf0f4bf9b5f3ea304bef708bf245b3b045c2f9b11
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 672352ef2ee9ed8dbef91e48f615e11771f9b483254c0aa3ca9891a5de683f25
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3334b2b54e433e3dc6b59eadf0f4bf9b5f3ea304bef708bf245b3b045c2f9b11
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: AA913B75A002089FCB14DF58C494EAABBF1FF45318F1880D9E94A9B762D731ED89CB91
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BAE27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • __startOneArgErrorHandling.LIBCMT ref: 00BAE30D
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: ErrorHandling__start
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: pow
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 3213639722-2276729525
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 9c53be2307f870cee785badc55dca25c139d29de13bd9efe20bd6be9289693e6
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: c2176dca6e047d45f259b926f968e037dfa74f91f3d1ff95d2446181c8ec7776
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9c53be2307f870cee785badc55dca25c139d29de13bd9efe20bd6be9289693e6
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 95515DA1A5C20297CB167714C9417FD3BE8DF81780F3449E8E0A5472E9EF74CC959A46
                                                                                                                                                                                                                                                                                                                                                                                  Function 00B9E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: #
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 0-1885708031
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 73f5bcccf259cc496240b4cd534956595a90b10f2537301358bd34726add837c
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 8aef599035ef7bae3bd9d378c9a6c408daab886952eefd599a375550572b9115
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 73f5bcccf259cc496240b4cd534956595a90b10f2537301358bd34726add837c
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F651B075904246DFDF19EF68C4816BABBE4EF55310F2440A6E8A19F291EA34DD42CBA0
                                                                                                                                                                                                                                                                                                                                                                                  Function 00B9F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • Sleep.KERNEL32(00000000), ref: 00B9F2A2
                                                                                                                                                                                                                                                                                                                                                                                  • GlobalMemoryStatusEx.KERNEL32(?), ref: 00B9F2BB
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: GlobalMemorySleepStatus
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: @
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 2783356886-2766056989
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 946ede96246fc328095e3ea702b1c22020172f7ca23165a638d52befed9b35ae
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 939c35e4b003e359ef4a33fe037906a2542591d7a5b234ab320fbfbd55c8a5b4
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 946ede96246fc328095e3ea702b1c22020172f7ca23165a638d52befed9b35ae
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8B5138714187449BE320AF10EC86BAFBBF8FF84304F91889DF1D9511A5EB708529CB66
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BE2999 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 130windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00BE29EB
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(?,0000110A,00000001,?), ref: 00BE2A8D
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BE2C75: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00BE2CE0
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: MessageSend
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: @U=u
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 3850602802-2594219639
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 7d438b3051e02421ba84f29bb4f494a06b175f52e04501c42861fc39dcdd5f5d
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: ebcee8a8792f08159e7427da89e559e5e5ee920edf52e4ddea91bc88d975737f
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7d438b3051e02421ba84f29bb4f494a06b175f52e04501c42861fc39dcdd5f5d
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: AA419270A00249ABEF25EF55C845BFE7BF9EF44750F0410A9F905A3291DB709A45CBA2
                                                                                                                                                                                                                                                                                                                                                                                  Function 00C05745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 00C057E0
                                                                                                                                                                                                                                                                                                                                                                                  • _wcslen.LIBCMT ref: 00C057EC
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: BuffCharUpper_wcslen
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: CALLARGARRAY
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 157775604-1150593374
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 8bc9aa95dcb43a5b01f16bee83e4292f78a0a5b166ad658b80307ae9b0f8e1a1
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: a2705f61923b87526b67df2f647e80b314d9bfd8cb948b1c427868d4448dccc2
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8bc9aa95dcb43a5b01f16bee83e4292f78a0a5b166ad658b80307ae9b0f8e1a1
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 99419E71A401099FCF04EFA9C8819BEBBF5FF59310F1081A9E915A7291E7309E81CF90
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BFD0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • _wcslen.LIBCMT ref: 00BFD130
                                                                                                                                                                                                                                                                                                                                                                                  • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00BFD13A
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: CrackInternet_wcslen
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: |
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 596671847-2343686810
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 60e3f7fd84b42410dde3ba53ff0e588656b9ad858bdd99afbab5c96258e32d5a
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 6039d00de6f7e78655e0724ab65012aed4656e1868a84284123f772446fcfabd
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 60e3f7fd84b42410dde3ba53ff0e588656b9ad858bdd99afbab5c96258e32d5a
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: AF311971D00209ABCF15EFA4CC85AEEBFFAFF05300F000099F915A6162E731AA16DB60
                                                                                                                                                                                                                                                                                                                                                                                  Function 00C1356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • DestroyWindow.USER32(?,?,?,?), ref: 00C13621
                                                                                                                                                                                                                                                                                                                                                                                  • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00C1365C
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: Window$DestroyMove
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: static
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 2139405536-2160076837
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 4c623ee7218c1c97dfa2eb4740a2d1d18de10eb134c7a4df3305df71c50ff1dc
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 6f4cfcc2216014c30bd023b91e0a3783e4631a1c7bfa84bac82c6ec3923ad293
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4c623ee7218c1c97dfa2eb4740a2d1d18de10eb134c7a4df3305df71c50ff1dc
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A0319E71110244AEDB10DF28DC80FFB73A9FF89764F108619F9A597290DA30AE91E764
                                                                                                                                                                                                                                                                                                                                                                                  Function 00C14537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(00000027,00001132,00000000,?), ref: 00C1461F
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00C14634
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: MessageSend
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: '
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 3850602802-1997036262
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 35e85e7c1c4d3f5857ee7600b9b0c0ed003a92c8b43a1b367502fdc50a189d89
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: a0e1833f0ecbe00ca4ae85eae0ece3bd304d2c7bac6461c0506d4ce71d70071b
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 35e85e7c1c4d3f5857ee7600b9b0c0ed003a92c8b43a1b367502fdc50a189d89
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5C3119B4A013099FDB18CF69C990BDE7BB6FF4A304F14406AE915AB351D770A981DF90
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BE286B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 90windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(?,0000110A,00000000,00000000), ref: 00BE2884
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00BE28B6
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: MessageSend
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: @U=u
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 3850602802-2594219639
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: b0605fc30da80a7c8f497452be47362f4d345205d56bcb38bc5a8ea2651ef571
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: db391f51f84535f89f12a723a1630f72cb316e543fc542f9a6c7f24526602951
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b0605fc30da80a7c8f497452be47362f4d345205d56bcb38bc5a8ea2651ef571
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3921F336E00215ABCB15AF958881DBEB7FDEF89B10F0440A9F915A7291EB749D41C7A0
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BE3BC4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 80windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BE3D03: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00BE3D18
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00BE3C23
                                                                                                                                                                                                                                                                                                                                                                                  • _strlen.LIBCMT ref: 00BE3C2E
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: MessageSend$Timeout_strlen
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: @U=u
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 2777139624-2594219639
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: d49c7a7bfd8267f43165ac694fa4641d69caddca7d4be5736ec0c9f2d2029913
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 255f88164df4ae8474913d9719c8da8192ca896ad9e2e90fea08fa204d805b33
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d49c7a7bfd8267f43165ac694fa4641d69caddca7d4be5736ec0c9f2d2029913
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: DB11E7317042552B8B287A7A988A9BE67E4CF45F40F2000BDF902AB392DF10DE4287D4
                                                                                                                                                                                                                                                                                                                                                                                  Function 00C1336F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 75windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BEED19: GetLocalTime.KERNEL32 ref: 00BEED2A
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BEED19: _wcslen.LIBCMT ref: 00BEED3B
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BEED19: _wcslen.LIBCMT ref: 00BEED79
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BEED19: _wcslen.LIBCMT ref: 00BEEDAF
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BEED19: _wcslen.LIBCMT ref: 00BEEDDF
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BEED19: _wcslen.LIBCMT ref: 00BEEDEF
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BEED19: _wcslen.LIBCMT ref: 00BEEE2B
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00001002,00000000,?), ref: 00C1340A
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: _wcslen$LocalMessageSendTime
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: @U=u$SysDateTimePick32
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 2216836867-2530228043
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: b87e8e39743a5fc6734a7194c72838b9d50ae1e4cbb8c0bd218395773cc9fe10
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 0d7cb5163bc84ee84de3bc496849f7536e06b5d7bd0568cdaa4b9563ab4520fe
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b87e8e39743a5fc6734a7194c72838b9d50ae1e4cbb8c0bd218395773cc9fe10
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 132106313402096FEF219E54DC81FEE33AAEB45758F204519F960A71D0DAB1ED91A764
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BE215F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00BE2178
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BEB32A: GetWindowThreadProcessId.USER32(?,?), ref: 00BEB355
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BEB32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00BE2194,00000034,?,?,00001004,00000000,00000000), ref: 00BEB365
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BEB32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00BE2194,00000034,?,?,00001004,00000000,00000000), ref: 00BEB37B
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BEB403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00BE21D0,?,?,00000034,00000800,?,00000034), ref: 00BEB42D
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00001073,00000000,?), ref: 00BE21DF
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BEB3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00BE21FF,?,?,00000800,?,00001073,00000000,?,?), ref: 00BEB3F8
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: Process$MemoryMessageSend$AllocOpenReadThreadVirtualWindowWrite
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: @U=u
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 1045663743-2594219639
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: d985d38d4b266af459bbdb9eff2b67246d954e1c8566c149ead72ecea2c4e3c8
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: da10167a7837489c1cd88a99f6c7627f0d88c391a85e0839a4eb5a4f24cff59c
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d985d38d4b266af459bbdb9eff2b67246d954e1c8566c149ead72ecea2c4e3c8
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 34215E31901118ABEF11ABA9DC81FDDBBB8FF05350F1041A5F649A6190EB715A44CB90
                                                                                                                                                                                                                                                                                                                                                                                  Function 00C131EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00C1327C
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00C13287
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: MessageSend
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: Combobox
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 3850602802-2096851135
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 8812e5f82abcbf5af6d478d534fedef6213bd9ac11f17ea8d9c2e5ff175f1d2b
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: e074fc68c7efc9294e692b469dea0cea47706070e8599385e6157defefd776b7
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8812e5f82abcbf5af6d478d534fedef6213bd9ac11f17ea8d9c2e5ff175f1d2b
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: BF11B6713002487FEF25AE54DC84FFB376AEB56368F104124F92497291D6319E91A760
                                                                                                                                                                                                                                                                                                                                                                                  Function 00C13710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00B8600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00B8604C
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00B8600E: GetStockObject.GDI32(00000011), ref: 00B86060
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00B8600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00B8606A
                                                                                                                                                                                                                                                                                                                                                                                  • GetWindowRect.USER32(00000000,?), ref: 00C1377A
                                                                                                                                                                                                                                                                                                                                                                                  • GetSysColor.USER32(00000012), ref: 00C13794
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: Window$ColorCreateMessageObjectRectSendStock
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: static
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 1983116058-2160076837
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 8b2015f74d43a3bb8f2de9d7bdaf608b05bf3ab1ffbc65ab3fd473e47e525da3
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 50b541cdd3fffd0425d40e1ec914d9516ba0509fab7ea5f12828ad15513b201a
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8b2015f74d43a3bb8f2de9d7bdaf608b05bf3ab1ffbc65ab3fd473e47e525da3
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 701129B2650209AFDB01DFA8CD45AEE7BB8FB09314F004514F965E2250D735E951EB90
                                                                                                                                                                                                                                                                                                                                                                                  Function 00C16181 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00C161FC
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00000194,00000000,00000000), ref: 00C16225
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: MessageSend
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: @U=u
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 3850602802-2594219639
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: c1662089a12442fdd46bca05ac20ddd7ba050431931dc811e6c7b9b0f3af8941
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: b42b5a0f34a2a9071cf2b5b63d0cd5e75de18ea781af318882522ea0f40595ad
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c1662089a12442fdd46bca05ac20ddd7ba050431931dc811e6c7b9b0f3af8941
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7711BF31140214BEEB148F68CC59FFE3BA4EB0B310F108155FA26AA1E1D3B0DB80EB50
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BFCD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00BFCD7D
                                                                                                                                                                                                                                                                                                                                                                                  • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00BFCDA6
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: Internet$OpenOption
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: <local>
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 942729171-4266983199
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: d703ce4c1b76335277453e41a2fa06f8faa2a14270b3c55568801d606d0715f5
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 11724e0b5d20ef0011170da451a7a3c52c810746dc3bb2be16376a515faedda4
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d703ce4c1b76335277453e41a2fa06f8faa2a14270b3c55568801d606d0715f5
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: BC11A37924563DBAD7244A668C85FFBBEE8EF127A4F104276B21983090D6709889D6F0
                                                                                                                                                                                                                                                                                                                                                                                  Function 00C14F80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(?,?,?,?), ref: 00C14FCC
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: MessageSend
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: @U=u
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 3850602802-2594219639
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 0cbc0cf2f23d38d556fa46d3c5b0d04111e676acdc0808b74dd78d51b0b08072
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: e8ccb6d91d9d1a081f2a6ce9bacdc1d3db303dddd471bf38c632e1866ef8bff4
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0cbc0cf2f23d38d556fa46d3c5b0d04111e676acdc0808b74dd78d51b0b08072
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0321D37A60011AEFCB15DFA8C9809EE7BB5FB4E350B004194FD16A7320D631EE61EB90
                                                                                                                                                                                                                                                                                                                                                                                  Function 00C130D2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 58windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00000401,?,00000000), ref: 00C13147
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: MessageSend
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: @U=u$button
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 3850602802-1762282863
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: f158f593881e3a3019f0b2ce6376051fe5730049909b659e06f687e1be3da2f0
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: f585f1cc8601d04f84f9da9bc16fbb58510e7af4029558718d0c49391f9f3c67
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f158f593881e3a3019f0b2ce6376051fe5730049909b659e06f687e1be3da2f0
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3711A132250245BBDF119F64DC41FEE3BAAFB09358F244214FA64A7190C776EAA1A750
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BE6C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00B89CB3: _wcslen.LIBCMT ref: 00B89CBD
                                                                                                                                                                                                                                                                                                                                                                                  • CharUpperBuffW.USER32(?,?,?), ref: 00BE6CB6
                                                                                                                                                                                                                                                                                                                                                                                  • _wcslen.LIBCMT ref: 00BE6CC2
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: _wcslen$BuffCharUpper
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: STOP
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 1256254125-2411985666
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 2755e602105f0ea281b2723f0619914610994adbbfbcbc3061a28f197eb07725
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 6eba2074a1f028e9340863bd29f9a5f12167d0189487dcc9a12615e206b55b6e
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2755e602105f0ea281b2723f0619914610994adbbfbcbc3061a28f197eb07725
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A4010432A1056A8BCB20AFFECC809BF73F5FA7179076005B8E85292291EB31D810C750
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BE23DB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BEB403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00BE21D0,?,?,00000034,00000800,?,00000034), ref: 00BEB42D
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(?,0000102B,?,00000000), ref: 00BE243B
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(?,0000102B,?,00000000), ref: 00BE245E
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: MessageSend$MemoryProcessWrite
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: @U=u
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 1195347164-2594219639
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 0d299ce1ff54bf4263a8c313f2cfb0d24c76a1b5628d7f804cb575741392349e
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 5bb136c3448f423be443c966e6941b97b511707c5876cfc2fdb65951bea4b465
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0d299ce1ff54bf4263a8c313f2cfb0d24c76a1b5628d7f804cb575741392349e
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6B01F932900218ABEB116F69DC86FEEBBBCDB14310F1040A6F515A61D1DB705D45CB60
                                                                                                                                                                                                                                                                                                                                                                                  Function 00C14366 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(?,0000133E,00000000,?), ref: 00C143AF
                                                                                                                                                                                                                                                                                                                                                                                  • InvalidateRect.USER32(?,00000000,00000001,?,?), ref: 00C14408
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: InvalidateMessageRectSend
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: @U=u
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 909852535-2594219639
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 95355e75200175e081e9eb0a9be49359154a1f2f021872728622b797f8ea9848
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 51c2a117871270393ca90e4d6da059b55c50c524fb247e4ee051b4c9e3f03fd8
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 95355e75200175e081e9eb0a9be49359154a1f2f021872728622b797f8ea9848
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A0119D34500744AFE725CF24C891BEBBBE5BF06310F10851CE8BA97291C770AA81AB50
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BE250B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00000406,00000000,00000000), ref: 00BE2531
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(?,0000040D,?,00000000), ref: 00BE2564
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BEB3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00BE21FF,?,?,00000800,?,00001073,00000000,?,?), ref: 00BEB3F8
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00B86B57: _wcslen.LIBCMT ref: 00B86B6A
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: MessageSend$MemoryProcessRead_wcslen
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: @U=u
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 1083363909-2594219639
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 4d9c6e6779c8c201d5af69b38f9a28f7be31c440739de5e3d2830f601ee54407
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: f2728aed948fdf5cc7a80b087da563037760d8c33cdb9797ae52a0a5877ad16e
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4d9c6e6779c8c201d5af69b38f9a28f7be31c440739de5e3d2830f601ee54407
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8C012971901128AFDB54AFA4DC91EEE77ACFF24344F80C0A6F649A6150EF705E89CB90
                                                                                                                                                                                                                                                                                                                                                                                  Function 00C190A1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00B99BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00B99BB2
                                                                                                                                                                                                                                                                                                                                                                                  • DefDlgProcW.USER32(?,0000002B,?,?,?,?,?,?,?,00BD769C,?,?,?), ref: 00C19111
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00B99944: GetWindowLongW.USER32(?,000000EB), ref: 00B99952
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00000401,00000000,00000000), ref: 00C190F7
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: LongWindow$MessageProcSend
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: @U=u
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 982171247-2594219639
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 78a803d3e30719e43df8abb8e59f25dd1049189061b7986e743757d8928f58ed
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 3a04bb5d9ce4bf22599cb96a556d8bf718a7ee5ebcd2fc662c3218143604a99f
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 78a803d3e30719e43df8abb8e59f25dd1049189061b7986e743757d8928f58ed
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8801BC34100214BBDB219F24DC99FEA3BB6FB8B365F240168F9611A2E1C7326DD1EB50
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BE246C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00BE2480
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00BE2497
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BE23DB: SendMessageW.USER32(?,0000102B,?,00000000), ref: 00BE243B
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: MessageSend
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: @U=u
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 3850602802-2594219639
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: eb9cd16ca18b87ebe7065a09c8cc3a0265aadc6dd2a97fed05186884bd05fbbf
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 38bcc92ff3e38286aed1aa68c7cd94ddc59ad636d82421a6956186085327c243
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: eb9cd16ca18b87ebe7065a09c8cc3a0265aadc6dd2a97fed05186884bd05fbbf
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 96F0E230641165BEEB201B16CC0AEDFBFADEF46760B104054B905A2191C6A05D41C6A0
                                                                                                                                                                                                                                                                                                                                                                                  Function 00C0747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: _wcslen
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: 3, 3, 16, 1
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 176396367-3042988571
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 4f0435055743b342a13f77adffb102f666d17786e36111c82a0b62612a664cc0
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: d698d8ea9ab659697f7db6960c625b89e800ad1942dcea5c5efba207b83ba761
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4f0435055743b342a13f77adffb102f666d17786e36111c82a0b62612a664cc0
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 64E06102B0836014D33516B9DCC197F96CDDFC6750710192BF981C22E6EBD4DEA1D7A0
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BE2BE8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00BE2BFA
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(?,0000110A,00000000,00000000), ref: 00BE2C2A
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: MessageSend
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: @U=u
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 3850602802-2594219639
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 5de79f9bbffdce82e9ff82ed4d5998ce8a2302df8a0d2b6f2e36aaba64b960f2
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 32b1e05cacda817b4439df5306d646d675d1e1de1f22bf97cbad8dedc95957af
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5de79f9bbffdce82e9ff82ed4d5998ce8a2302df8a0d2b6f2e36aaba64b960f2
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 92F08C75280308BFFA156B81DC8AFEA3B9CEB19761F104064B7055A1D1CAA25C1097A0
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BE2D60 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BE286B: SendMessageW.USER32(?,0000110A,00000000,00000000), ref: 00BE2884
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BE286B: SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00BE28B6
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(?,0000110B,00000005,00000000), ref: 00BE2D80
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00BE2D90
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: MessageSend
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: @U=u
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 3850602802-2594219639
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: e648dacdae1344741d7e744531d6d5b6791f8acae517679ddb40b1d3130526db
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: ccb49f4ccc05c2938d3de3f82e4212b86b241729707fd7339818076066b1b018
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e648dacdae1344741d7e744531d6d5b6791f8acae517679ddb40b1d3130526db
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 85E092752443497EF6210B529C86FA6379CDB59751F108036B30465091DBE2CC105520
                                                                                                                                                                                                                                                                                                                                                                                  Function 00C15829 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(?,0000133D,?,?), ref: 00C15855
                                                                                                                                                                                                                                                                                                                                                                                  • InvalidateRect.USER32(?,?,00000001), ref: 00C15877
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: InvalidateMessageRectSend
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: @U=u
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 909852535-2594219639
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 2f1bb7c42838a5bdbf7642e7312a67f30d3381dc684851e89ef0ff00e57c32fa
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 82a83a1b41357e133c0ecc346a2b3853cf5c2fcb2ef0a70d724a79ab851fbacc
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2f1bb7c42838a5bdbf7642e7312a67f30d3381dc684851e89ef0ff00e57c32fa
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D9F08272604150EEDB208B65DD44FEEBBF8EB86321F0441B2F56AD9051D6308BC2DB20
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BE0B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00BE0B23
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: Message
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: AutoIt$Error allocating memory.
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 2030045667-4017498283
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: a3b3a9d1caf899f5171ba8b5a54b8a031457d17af1d0147c5c52999a3c55f257
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 6e4a4486ee2572c7eb6210368396612ad96b99e3e8c4f6e545bb2c4007adb2e1
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a3b3a9d1caf899f5171ba8b5a54b8a031457d17af1d0147c5c52999a3c55f257
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: FAE0D83128430827D61436547C43FC97BC49F07F21F1044B6FB58954C38BD1689056E9
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BA0D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00B9F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00BA0D71,?,?,?,00B8100A), ref: 00B9F7CE
                                                                                                                                                                                                                                                                                                                                                                                  • IsDebuggerPresent.KERNEL32(?,?,?,00B8100A), ref: 00BA0D75
                                                                                                                                                                                                                                                                                                                                                                                  • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00B8100A), ref: 00BA0D84
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00BA0D7F
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 55579361-631824599
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: af47173c2748c188f7dd34c736391d425159b3e1124ee40b993fd162039c6d4c
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 269c243369f388d9d225e222bbf02fc3a8138cacc05427bc74fff81c33d7f2f0
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: af47173c2748c188f7dd34c736391d425159b3e1124ee40b993fd162039c6d4c
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 08E065752047018BD760AFB9D44839A7BE0BF02740F0089BDE885C6661D7F4E4848B91
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BF3017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • GetTempPathW.KERNEL32(00000104,?,00000001), ref: 00BF302F
                                                                                                                                                                                                                                                                                                                                                                                  • GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00BF3044
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: Temp$FileNamePath
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: aut
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 3285503233-3010740371
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 6bb8a41e39dc4acca78f5c9b3baabbb3d22dbb4af18a25dfa5643690af33fa8e
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 01d3657b64fc0673f8ce71b58ebb235426b9e035658153723a005ee75737dc40
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6bb8a41e39dc4acca78f5c9b3baabbb3d22dbb4af18a25dfa5643690af33fa8e
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 75D05EB254032867DA20A7A4AC4EFCB3A6CEB06750F0002A1B655E2091DAF49984CAD0
                                                                                                                                                                                                                                                                                                                                                                                  Function 00C12356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00C1236C
                                                                                                                                                                                                                                                                                                                                                                                  • PostMessageW.USER32(00000000), ref: 00C12373
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BEE97B: Sleep.KERNEL32 ref: 00BEE9F3
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: FindMessagePostSleepWindow
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: Shell_TrayWnd
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 529655941-2988720461
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 70968fb6f5b0ea5102177a85fbeb0d126f0e8246714aa645c0e65a0585bc61c1
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 8c1447b16828d771a557d3d4734dc466dd7a9f4044ee5df59f6273bc1898f675
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 70968fb6f5b0ea5102177a85fbeb0d126f0e8246714aa645c0e65a0585bc61c1
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: EBD022323C03007BE264B370DC4FFCAB644BB02B00F008A127301EA0D4C9F0B840CA04
                                                                                                                                                                                                                                                                                                                                                                                  Function 00C12322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00C1232C
                                                                                                                                                                                                                                                                                                                                                                                  • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00C1233F
                                                                                                                                                                                                                                                                                                                                                                                    • Part of subcall function 00BEE97B: Sleep.KERNEL32 ref: 00BEE9F3
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: FindMessagePostSleepWindow
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: Shell_TrayWnd
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 529655941-2988720461
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: 362b84bf386cf481038227830473436a6bc593b1a86259422eefbf74e0ed0b64
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: f2e15e9875c65bfddd8ec690a17bab483ec0b3a3072385216ff8bb38f9a05cf9
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 362b84bf386cf481038227830473436a6bc593b1a86259422eefbf74e0ed0b64
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 13D022363C4300BBE264B370DC4FFCABA44BB01B00F008A127305AA0D4C9F0A840CA00
                                                                                                                                                                                                                                                                                                                                                                                  Function 00BE2313 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14windowCOMMON
                                                                                                                                                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00BE231F
                                                                                                                                                                                                                                                                                                                                                                                  • SendMessageW.USER32(00000000,00001200,00000000,00000000), ref: 00BE232D
                                                                                                                                                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.1449699813.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449511713.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C1C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1449998424.0000000000C42000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450166124.0000000000C4C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.1450298491.0000000000C54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_b80000_kjDPynh9vQ.jbxd
                                                                                                                                                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                                                                                                                                                  • API ID: MessageSend
                                                                                                                                                                                                                                                                                                                                                                                  • String ID: @U=u
                                                                                                                                                                                                                                                                                                                                                                                  • API String ID: 3850602802-2594219639
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode ID: f9e4b9e4188e6def7e5c0c9387c7d6035d0a083815233605dc3cb8d824c6e8d5
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction ID: 0a26102aad8752f9a3ac86e13f358a5965939be5394fb146f74ab2b565cb468b
                                                                                                                                                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f9e4b9e4188e6def7e5c0c9387c7d6035d0a083815233605dc3cb8d824c6e8d5
                                                                                                                                                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 25C00231180180BAE6211B67AD4DE9B3E3DE7DBF517105158B215950A586650055D624